# 3 Penton Properties, Including WHT, Reportedly Breached, Data of 1.7 Million Users For Sale



## DomainBop (Jul 8, 2016)

> Hacker leaks data for nearly 1,7 million users
> 
> 
> According to uid0, the Mac Forums database contains the private details of over 291,000 users, the Hot Scripts database comprises details of over one million users, and the Web Hosting Talk data dump contains details on over 400,000 users.
> ...



http://news.softpedia.com/news/databases-from-hot-scripts-mac-forums-web-hosting-talk-surface-on-the-dark-web-506129.shtml


http://www.csoonline.com/article/3093018/security/mac-forums-hot-scripts-and-web-hosting-talk-databases-for-sale.html


*edited to add:*


shit security practices by Penton so "reportedly breached" is probably true.  Examples: both TheWhir and the HotScripts blog are running the very vulnerable and outdated  WordPress 4.3.1 so it wouldn't surprise me if a hacker was able to compromise their servers.  You'd think a company like Penton with $364 mill in revenues and 1200 employees would have someone on staff who had the sense to keep their software patched...guess not.


----------



## SkylarM (Jul 8, 2016)

First thing I did was check what password I used there. Bunch of apple users compromised potentially related to this.


----------



## drmike (Jul 8, 2016)

Penton not only was hacked like this, but prior was hacked for memberships.


The big memberships and the small memberships for WHT were all up for "free" or nearly free. 


They brushed that under the rug real quick, never made mention of it, etc.


With all the people and money swirling Penton, they should be way more on top of things.


Seems like the sites (WHT namely) are on autopilot and spiraling down the drain.


----------



## DomainBop (Jul 9, 2016)

drmike said:


> Penton not only was hacked like this, but prior was hacked for memberships.



...and then there was that time an employee lost a company laptop containing customer credit card data 


bonus points:  the parent company's website is running WordPress 3.9.1 (released back in May 2014) which contains a 0day vulnerability http://www.penton.com/readme.html


The thing I find most interesting though is that a company whose research division conducts  IT Security surveys of industry professionals doesn't even bother to keep its own systems up to date.


----------



## drmike (Jul 9, 2016)

Big question is what got leaked in this hack... Were passwords hashed and what was the richness of the rest of the data?


If it's username + hash, then minimal impact, they just look stupid again.  If it's full field data, then other implications perhaps.


----------



## Licensecart (Jul 9, 2016)

drmike said:


> Big question is what got leaked in this hack... Were passwords hashed and what was the richness of the rest of the data?
> 
> 
> If it's username + hash, then minimal impact, they just look stupid again.  If it's full field data, then other implications perhaps.



I'd assume it's everything via a SQLi in VB4: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4345175-security-update-for-vbulletin-4


----------



## drmike (Jul 9, 2016)

... " The issue could potentially allow attackers to perform SQL Injection attacks via the included Forumrunner add-on."....


----------



## DomainBop (Jul 9, 2016)

Licensecart said:


> I'd assume it's everything via a SQLi in VB4:



WHT and Mac-Users use VB but HotScripts doesn't use VB so the outdated forum software isn't necessarily the culprit.  A WP vulnerability, a vulnerability in the HotScripts directory script (which has been hacked in the past: 2005, 2010) , or a social engineering attack are also possibilities.  


The hacker probably exploited a vulnerability in one site and from there was able to gain access to the databases of the other 2 sites. All 3 sites are hosted at LiquidWeb so their databases may be on the same cluster of dedicated servers (or they could use the same user/password combinations for their DBs)...gain root access via one site and grab all 3 DBs.


*edit: *according to an article on Motherboard the hacker is claiming the breach occurred on July 4, 2016 and a total of 5 Penton sites were compromised.



> On Friday, an operator of the data breach awareness site LeakedSource said that hackers breached the media company Penton on July 4, 2016 and stole the databases of Web Hosting Talk, Mac Forums, HotScripts.com, dBforums, and A Best Web.



http://motherboard.vice.com/read/hackers-allegedly-steal-14m-passwords-from-mac-forums-web-hosting-talk


Also from that Motherboard article:



> The operator said that the passwords are not in plaintext, but are hashed,...
> 
> 
> ...The bad news is that they were hashed with the MD5 algorithm, which is notoriously weak, and the salt is in the database “next to [the] hashes,” according to the operator.
> ...


----------



## DomainBop (Jul 9, 2016)

drmike said:


> Big question is what got leaked in this hack...



WebHostingTalk.com has: 1 result(s) found. This data was hacked on approximately 2016-07-04 00:00:00 username, Possible plaintext password, hash, email, register_date, last_login, birthday, ipaddress, salt


source: leakedsource.com


edited to add: if your data appears on leakedsource you can get your email address removed from their searchable DB (removal link is on their FAQ page).


----------



## Licensecart (Jul 10, 2016)

DomainBop said:


> WHT and Mac-Users use VB but HotScripts doesn't use VB so the outdated forum software isn't necessarily the culprit.  A WP vulnerability, a vulnerability in the HotScripts directory script (which has been hacked in the past: 2005, 2010) , or a social engineering attack are also possibilities.
> 
> 
> The hacker probably exploited a vulnerability in one site and from there was able to gain access to the databases of the other 2 sites. All 3 sites are hosted at LiquidWeb so their databases may be on the same cluster of dedicated servers (or they could use the same user/password combinations for their DBs)...gain root access via one site and grab all 3 DBs.
> ...



Well they have a outdated Wordpress for WHIR, so you can say it could be hacked via Wordpress, you only need access to the server through an exploit right and then they can get any database they want.

http://www.thewhir.com/readme.html
Version 4.3.1


----------



## lowesthost (Jul 10, 2016)

DomainBop said:


> WebHostingTalk.com has: 1 result(s) found. This data was hacked on approximately 2016-07-04 00:00:00 username, Possible plaintext password, hash, email, register_date, last_login, birthday, ipaddress, salt
> 
> 
> source: leakedsource.com
> ...



Password  I paid for a 1 day  just to look at what data was leaked   


real password =Defiantly 


looks like someone accessed  from South Africa even though I changed the password  as soon as I saw the thread on WHT 


email  = yes I use a disposable  forwarder  so that going to change 


there was some leftover data from the WHMCS hack in 2015  which I all ready knew was in there  other than getting some occasional spam on the email address  there is no information that cant be had publicly so no big deal 


found some other info  that was leaked as well but no notification from the affected sites 


one site deleted my membership  and the other had  a force password change was there


----------



## DomainBop (Jul 12, 2016)

This post today on WHT from SoftWareRevue probably qualifies as the first official acknowledgement of the hack:



> Today, 01:18 PM #156 SoftWareRevue
> 
> 
> We have identified a potential unauthorized access that may affect our users’ personal information. We have been working diligently around the clock with a third-party forensics team to confirm the nature of the access and mitigate any potential risk to our users. Over the past 82 hours we have implemented a variety of security protections and are preparing to communicate with all affected users once we have sufficient information to share.



Implementing security protections on your own sites is good of course, but after doing a few searches on LeakedSource tonight I've decided that chopping off employees hands so they can't fill out registration forms and use their company email address to register on other websites might also be a very good idea to improve company security...especially since some of those employees no doubt use the same password / company email combo everywhere which creates a security problem when the sites they've registered on get hacked and their login info gets spilled all over the web.


A few examples of leaked databases to illustrate why you should take the security precaution of discouraging your employees from using their company email address to register on other sites and why you should expressly forbid them from using a company email address when the registration on the other site is not business related (_note: LeakedSource limits their search results to the first 200 results so the following lists aren't even close to being complete lists of the number of times employees have had accounts associated with a corporate email address hacked_)


*Example 1: Hostgator employees using a company @hostgator.com email address:*


MySpace.com has: 15 result(s) found. This data was hacked on approximately 2013-06-11 00:00:00 
Linkedin.com has: 26 result(s) found. This data was hacked on approximately 2012-06-05 00:00:00 
Adobe database has: 40 result(s) found. This data was hacked on approximately 2013-10-01 00:00:00 
Tumblr.com has: 3 result(s) found. This data was hacked on approximately 2013-02-28 00:00:00 
VerticalScope Network (Vbulletin) (939 Websites) has: 10 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00 
Twitter.com has: 2 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 
Unknown Emails has: 1 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 
HeroesOfNewerth.com Part 2 has: 2 result(s) found. This data was hacked on approximately 2012-01-01 00:00:00 
Snail Games has: 1 result(s) found. This data was hacked on approximately 2015-03-14 18:15:12 
Daniweb.com has: 1 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 
Blackhatworld Users has: 2 result(s) found. This data was hacked on approximately 2014-06-01 00:00:00 
Android Forums has: 1 result(s) found. This data was hacked on approximately 2013-12-26 00:00:00 
Devshed.com has: 2 result(s) found. This data was hacked on approximately 2016-02-07 00:00:00 
WebHostingTalk.com has: 18 result(s) found. This data was hacked on approximately 2016-07-04 00:00:00 


*Example 2: Arvixe employees using a company @arvixe.com email address:*


MySpace.com has: 4 result(s) found. This data was hacked on approximately 2013-06-11 00:00:00 W
Linkedin.com has: 4 result(s) found. This data was hacked on approximately 2012-06-05 00:00:00 W
Adobe database has: 8 result(s) found. This data was hacked on approximately 2013-10-01 00:00:00 W
Badoo.com has: 1 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 W
Neopets.com has: 2 result(s) found. This data was hacked on approximately 2013-10-08 00:00:00 W
Zoosk.com has: 1 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 W
VerticalScope Network (Vbulletin) (939 Websites) has: 6 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00 W
VerticalScope Network (SMF) (54 Websites) has: 1 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00 W
Ipmart-forum.com has: 1 result(s) found. This data was hacked on approximately 2015-11-10 00:00:00 W
Blackhatworld Users has: 4 result(s) found. This data was hacked on approximately 2014-06-01 00:00:00 W
Devshed.com has: 1 result(s) found. This data was hacked on approximately 2016-02-07 00:00:00 W
WebHostingTalk.com has: 26 result(s) found. This data was hacked on approximately 2016-07-04 00:00:00 W
Acne.org Forums has: 1 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 W 
Vbulletin.com has: 3 result(s) found. This data was hacked on approximately 2015-10-27 00:00:00 W
DbForums.com has: 1 result(s) found. This data was hacked on approximately 2016-07-04 00:00:00 W
PHPFreak.com has: 6 result(s) found. This data was hacked on approximately 2015-09-28 00:00:00 W
OVH Kimsufi has: 1 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 W
ABestWeb.com has: 3 result(s) found. This data was hacked on approximately 2016-07-04 00:00:00 W
Linuxmint.com has: 1 result(s) found. This data was hacked on approximately 2016-02-13 00:00:00 W
WHCMS Users has: 2 result(s) found. This data was hacked on approximately 2015-07-02 00:00:00 W


*Endurance.com (EIG parent company) employees using an @endurance.com email address:*


MySpace.com has: 14 result(s) found. This data was hacked on approximately 2013-06-11 00:00:00 W
Linkedin.com has: 37 result(s) found. This data was hacked on approximately 2012-06-05 00:00:00 W
Adobe database has: 24 result(s) found. This data was hacked on approximately 2013-10-01 00:00:00 W
Tumblr.com has: 7 result(s) found. This data was hacked on approximately 2013-02-28 00:00:00 W
Neopets.com has: 3 result(s) found. This data was hacked on approximately 2013-10-08 00:00:00 W
iMesh.com has: 1 result(s) found. This data was hacked on approximately 2013-09-22 00:00:00 W
*Fling.com has: 3 result(s) found*. This data was hacked on approximately 0000-00-00 00:00:00 W
VerticalScope Network (Vbulletin) (939 Websites) has: 3 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00 W
Twitter.com has: 1 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 W
*Youporn.com has: 13 result(s) found.* This data was hacked on approximately 0000-00-00 00:00:00 W
Patreon Database has: 2 result(s) found. This data was hacked on approximately 2015-09-28 00:00:00 W
Bluehost users Vbulletin has: 3 result(s) found. This data was hacked on approximately 0000-00-00 00:00:00 W
WebHostingTalk.com has: 2 result(s) found. This data was hacked on approximately 2016-07-04 00:00:00 W


----------



## SafehouseCloud (Jul 12, 2016)

At least now they acknowledge the hack official. Best way to solve an issue is to accept it.


----------



## Hxxx (Jul 13, 2016)

They are late.


----------



## lowesthost (Jul 14, 2016)

Hxxx said:


> They are late.



Day late & a dollar short (after I already change my password)  


nothing important there anyway other than the password  which I will never use again


----------

