Pirate Bay account database compromised

Published: 2010-07-08. Last Updated: 2010-07-08 19:56:50 UTC
by Kyle Haugsness (Version: 1)
1 comment(s)

Juha-Matti was the first to write in with this article from Brian Krebs.  The article explains how the Pirate Bay user database was compromised via SQL injection.  http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/

Of course, I am sure that none of our readers would have an account at the Pirate Bay except for the rare "I'm doing security research" purpose only.  But you may want to drop a helpful hint to your "friends". 

-Kyle Haugsness

Keywords: pirate bay
1 comment(s)

Comments

I've been going around websites where I remember creating an account, and doing an 'audit' of what data I had stored there. I'm deleting any data they don't need about me, reviewing what privacy controls they have, and in some cases deleting my account there. I'm also resetting passwords to ensure they're unique per-site and making a note of where, and when, I set the password.

Unfortunately I'd forgotten about The Pirate Bay, where I once (legally!) posted a friend's music album some time ago. My account activation email tells me what password I used when signing up there so I can try to make sure I'm not using that anywhere else.

The article claims that some 'MD5 hashing' was used on passwords, but that's relatively weak these days. A precomputed table of hashed passwords would allow the original password to be determined. Some sort of 'salt' concatenated or XOR'd with the password before hashing may have increased security in this case, but we don't know if that was done or not.

Diary Archives