“Have I been pwned” received the first “stand-alone request”

Original author: Troy Hunt
  • Transfer
Of course, a few years ago I could not imagine how far my Have I been pwned (HIBP) project would go , but I just downloaded the 100th leak report into the system. This gives a total of 336,724,945 leaked accounts that have been downloaded in recent years, which I confess I did not expect to see.

However, the hundredth report is not quite similar to the previous ones - I received it from a site that itself was hacked. This is a “ self-submission” , if convenient. Usually, after a site is hacked, information is scattered across the network, while a company that has come under the "distribution" has no idea what happened, or rejects what happened in every way. Just yesterday I wrote an article “ If I can confirm the leak, then why not them?”, Where I reported to organizations like the Philippines Election Commission and Naughty America for not recognizing security issues weeks after the incidents. Just as it is unethical for hackers to break into systems and put people at risk, it is just as unethical for organizations to reject incidents and not try to protect their users.

I recently received a letter asking:
I am a game forum administrator / developer with ~ 80,000 accounts. A few weeks ago we had a database leak, we would like to add information to your site.

As you can imagine, I often have what you can call an “interesting” interaction with various people who appear from nowhere and want to talk about leaks, but this turned out to be exactly what was indicated. This site is TruckersMP , and it is a freight transport simulator (a fan-made multiplayer modification for Euro Truck Simulator 2 and American Truck Simulator simulators - approx. Translator) .

image

The news about the hack was published on this site on February 25 at 19:39 , 2 hours 9 minutes after the leak was detected. A leak was discovered just 30 minutes after the hack. A short blog post explains what exactly happened and then apologizes, all within a few hours after the event.

I was wondering why they decided to write and provide HIBP data. We corresponded a little by e-mail (including checking that the interlocutor is really the site administrator and the data provided is legal) and I received an answer to this question:
We are extremely concerned about security issues, we feel responsible and duty to inform our users about leaks. All members of our team agreed that it would be nice to add our case, we would like to see how other sites do the same; given the unfortunate circumstances.

At the moment, I have some ideas on how I can use HIBP in alliance with hacked organizations to help those whose accounts have been compromised, but I did not expect this.

Maybe I just became a little cynical after hundreds of statements “we are extremely concerned about security” from organizations that obviously don’t do this, and such an answer, in which they do not try to change the situation for their own benefit or to reverse the facts, is encouraging. If companies with billions of revenue or government agencies acted so responsibly ...

At the moment, you can find 83,957 TruckersMP accounts on HIBP .

Also popular now: