In October 2015, over 3 million accounts on the site MPGH.net were compromised when the website was hacked via its vBulletin forum. Email addresses, usernames, IP addresses, and passwords were all compromised in this attack. MPGH.net reset all user passwords following the attack. While this precaution should keep hackers from accessing these accounts directly, any other sites in which users entered the same username and password combination are likely to be compromised.
The compromised passwords were not released in plain text, but as salted hashes. Salting is the process of appending a random string (the ‘salt’) to the password before it is hashed. As a result, even if two users have the same password, the resulting hashed values will be different. Salted hashes are generally considered to be fairly secure, especially if the salt value used is long or obscure. A short salt, or a system which uses the username as the salt, is far less secure. While a salted hash does provide a high level of security, it is possible to crack even a well-built system via brute force attacks. It is not clear whether the passwords have been cracked, but any accounts included in this breach should be considered compromised, and the passwords should not be re-used.
Following this event, in November 2015, vBulletin released a security patch in reaction to a separate attack directly on the developers’ site. Again, all user passwords were reset following the patch.
MPGH stands for “MultiPlayer Game Hacking”, and the site is a source for user-developed game hacks and cheats. The site has both downloadable hacks and a vBulletin -based forum for developers to discuss and collaborate on their own game hack projects. Currently, it has over 3.2 million members.
Interestingly, the MPGH.net website posed an April Fool’s joke the year before this breach, jesting that their site had been compromised.
References:
April Fool’s post: http://www.mpgh.net/forum/showthread.php?t=810838
Official hack admission: http://www.mpgh.net/forum/showthread.php?t=1042586
Have I Been Pwned: https://haveibeenpwned.com/PwnedWebsites#MPGH
Salting passwords: https://crackstation.net/hashing-security.htm#salt
vBulletin hack: http://arstechnica.com/security/2015/11/vbulletin-password-hack-fuels-fears-of-serious-internet-wide-0-day-attacks/