What was the hashing algorithm for the passwords? Did you employ at least 7500 rounds of SHA512? Did you not check for holes in your website?
I used Node.js' crypto functions. TradeFortress coded the hashing bit, he should know more about it. Holes (if any) would not yield password hashes due to the way whiskchat is coded. 
Topic: [PSA] WhiskChat Hack Analysis - CHANGE YOUR PASSWORDS IF YOU USED WHISKCHAT! (Read 657 times)
November 07, 2013, 12:43:58 PM
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
November 06, 2013, 03:36:28 PM
What was the hashing algorithm for the passwords? Did you employ at least 7500 rounds of SHA512? Did you not check for holes in your website?
November 06, 2013, 02:15:58 PM
bump
November 06, 2013, 11:27:36 AM
So, WhiskChat got hacked.
Read my hypotheses on the hack at http://whiskers75.com/hacked - I'll update this with info as it comes.
A database dump was posted to http://pastebin.com/d1Wafvab (now removed, thankfully
) on this account (it was hacked at that moment in time) containing ALL user emails and HASHED passwords.
However, hashed passwords may not be as safe as we think: I believe that this hash was used to hack into my other accounts, so change your passwords! (you should do this regularly anyway, mkay?)
I recommend LastPass for managing your passwords - JUST MAKE SURE YOU USE A SECURE (and I mean secure) MASTER PASSWORD!
Sorry for the hack, it could happen to anyone - hopefully, it won't happen again.
-whiskers75
Update: See how easy it is to crack SHA256 hashes: http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html
Read my hypotheses on the hack at http://whiskers75.com/hacked - I'll update this with info as it comes.
A database dump was posted to http://pastebin.com/d1Wafvab (now removed, thankfully
) on this account (it was hacked at that moment in time) containing ALL user emails and HASHED passwords.However, hashed passwords may not be as safe as we think: I believe that this hash was used to hack into my other accounts, so change your passwords! (you should do this regularly anyway, mkay?)
I recommend LastPass for managing your passwords - JUST MAKE SURE YOU USE A SECURE (and I mean secure) MASTER PASSWORD!
Sorry for the hack, it could happen to anyone - hopefully, it won't happen again.
-whiskers75
Update: See how easy it is to crack SHA256 hashes: http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html
Jump to: