6.5 million emails and poorly encrypted passwords from Dueling Network , a card game in the style of Yu-Gi-Oh , announced Motherboard . The website ’ s forum has been kept online , although Dueling Network was shut down in 2016 following a cease-and-desist order . The request was made by a law firm on behalf of the animation company holding the rights to Yu-Gi-Oh . “ Only our forum site was still up as a way for our users to communicate with each other ( login used DN [ Dueling Network ] credentials ) , ” an administrator wrote in an email to Motherboard . “ Now that is down and warns users to change passwords on any other sites they may have used the same password on. ” The passwords were hashed with the MD5 algorithm , known to have extensive vulnerabilities that allow hackers to getAttack.Databreachplaintext passwords . A company administrator said not all stolen emails and passwords are associated with individual players , as some accounts appear to be duplicates .
A hacker claims to have managed to getAttack.Databreachhis hands on 6.5 million email addresses and poorly hashed passwords pertaining to users of Dueling Networks , a now-dead Flash game that 's based on the Yu-Gi-Oh trading card game . Dueling Network shut down in 2016 , but its site 's forum carried on until recently . `` Only our forum site was still up as a way for our users to communicate with each other ( login used Dueling Network credentials ) . Now that is down and warns users to change passwords on any other sites they may have used the same password on , '' a site admin told Motherboard . The hacker made away with at least 6.5 million accounts , although the site admin claims that not all those necessarily correspond to individual players , as many of the accounts may have been duplicates owned by the same user , or were never actually logged in . `` This number is inflated , '' the site admin claims . `` Weak password hashing makes them readable in plaintext '' The data trove the hacker got its hands on includes email addresses and passwords hashed with MD5 , which is pretty much useless at this point . This means that hackers are quite likely able to see all the passwords in plaintext , which is bad news for anyone who reuses those passwords for any accounts linked to the same email addresses . Black Luster Soldier , the admin of Dueling Network , believes the hacker used a vulnerability in MySQL to obtainAttack.Databreachthe data , although nothing is confirmed at this point . Regardless of how the hack happened , users are advised to change their passwords for any other services they use the same credentials as on Dueling Network .
RawPOS continues to evolve , and has recently been equipped with the capability to stealAttack.Databreachdata contained in the victims ’ driver ’ s license ’ s 2-dimensional barcode . “ Although the use of this barcode is less common than credit card swipes , it is not unheard of . Some people might experience getting their driver ’ s license barcode scanned in places like pharmacies , retail shops , bars , casinos and others establishments that require it , ” Trend Micro researchers explained . “ Traditionally , PoS threatsAttack.Databreachlook for credit card mag stripe data and use other components such as keyloggers and backdoors to getAttack.Databreachother valuable information . RawPOS attempts to gatherAttack.Databreachboth in one go , cleverly modifying the regex string to captureAttack.Databreachthe needed data. ” This particular variant is geared towards collectingAttack.Databreachdata from driver ’ s licenses issued in the US . Thus , along with payment card data , criminals also getAttack.Databreachinformation such as the victims ’ full name , date of birth , full address , gender , height , hair and eye color . This additional info could definitely help criminals impersonate the card holder in many identity theft scenarios , as well as while effecting fraudulent card-not-present transactions . RawPOS is one of the oldest known Point-of-Sale RAM scraper malware families . It ’ s first incarnation was spotted all the way back in 2009 . According to the researchers , it is mainly used by threat actors that focus on targeting businesses operating in the hospitality industry .
RawPOS continues to evolve , and has recently been equipped with the capability to stealAttack.Databreachdata contained in the victims ’ driver ’ s license ’ s 2-dimensional barcode . “ Although the use of this barcode is less common than credit card swipes , it is not unheard of . Some people might experience getting their driver ’ s license barcode scanned in places like pharmacies , retail shops , bars , casinos and others establishments that require it , ” Trend Micro researchers explained . “ Traditionally , PoS threatsAttack.Databreachlook for credit card mag stripe data and use other components such as keyloggers and backdoors to getAttack.Databreachother valuable information . RawPOS attempts to gatherAttack.Databreachboth in one go , cleverly modifying the regex string to captureAttack.Databreachthe needed data. ” This particular variant is geared towards collectingAttack.Databreachdata from driver ’ s licenses issued in the US . Thus , along with payment card data , criminals also getAttack.Databreachinformation such as the victims ’ full name , date of birth , full address , gender , height , hair and eye color . This additional info could definitely help criminals impersonate the card holder in many identity theft scenarios , as well as while effecting fraudulent card-not-present transactions . RawPOS is one of the oldest known Point-of-Sale RAM scraper malware families . It ’ s first incarnation was spotted all the way back in 2009 . According to the researchers , it is mainly used by threat actors that focus on targeting businesses operating in the hospitality industry .
Spiral Toys , the parent company behind CloudPets , yesterday sent the California Attorney General a breach notification that on many fronts contradicts what experts have said about a database breachAttack.Databreachthat exposedAttack.Databreachuser data and private voice messages , many of which were made by children . The notification says that the company was not aware of a breach until Feb 22 when it received an inquiry from a Motherboard reporter who was informed by researchers Troy Hunt and Victor Gevers of a serious issue involving the toymaker ’ s customer data . This runs contrary to timelines provided by Hunt and Gevers showing both reached out to a number of Spiral Toys contacts , including its ZenDesk ticketing system , around Dec 30 . The data was copied and deleted from an exposed MongoDB instance found online . It ’ s unknown how many times the database was accessedAttack.Databreachbefore its contents were deleted and a ransom note left behindAttack.Ransom, symptomatic of other attacks against poorly protected MongoDB databases . The recordings were not stored in the database , but the database did contain references to file paths to the messages , which were stored on an Amazon Web Services AWS S3 storage bucket . The database , Spiral Toys said in its notification , did include emails and encrypted passwords , which Hunt counters were not encrypted , but were hashed with bcrypt . Combined with a nonexistent password strength rule on Spiral Toys ’ part , the hashed passwords could easily be cracked , Hunt said . The company meanwhile said it would notify 500,000 affected users , force a password reset , and implement new password strength requirements . Hunt and Gevers said there were actually more than 800,000 registered users exposed in the breachAttack.Databreach. “ The breach has been addressed and from our best knowledge no images or messages were leakedAttack.Databreachonto the internet , ” Spiral Toys said . “ A hacker could getAttack.Databreachto that data if they started ‘ guessing ’ simple passwords ” . Which is exactly what a hacker would do , Hunt said . “ This is what hash cracking is and it ’ s a highly automated process that ’ s particularly effective against databases that had no password rules , ” Hunt said . Hunt points out that simple passwords such as qwe—a sample password shown during a CloudPets setup video—combined with the stolen email addresses pose a serious privacy risk . CloudPets are teddy bears that can send and receive messages using Bluetooth Low Energy connectivity to a mobile app , which sends the messages . The most typical use case is where a child can remotely send a message to a parent or authorized adult through the bear . “ If this product was secure , it would have been a nice contribution to the IOT/gadget/toy market , ” Gevers said . The best thing is that they learn from this and start making a new secure product line ” .