Welcome to duststar theory
- random, casual, stray thoughts -
"Only a life lived for others is a life worth while." - Albert Einstein
Analysis on Global Maplestory (GMS) leaked accounts
Author duststar | 20.01.2010 | Category Cyber Security, MapleGlobal
Following this post.
I am posting a short analysis on the leaked accounts.
A total of 139 accounts were leaked. The attackers may have more because the “id”s were in running sequence (which seems to indicate it was “ripped” off from a database or any structured data source).
Findings
1. There were 3 accounts that uses same credentials for both login ID and password.
2. Shortest password length was 6.
Examples:
112991
kablam
dragon
123123
123321
hacker
abc123
123456
……
Examples:
narutoistheb
fataliity225
412173lesche
manquehue199
samsung770k1
4. There were 113 (81.29%) unique passwords and 26 (18.71%) duplicated passwords.
Examples of duplicated passwords used:
pokemon = 2
112991 = 2
kablam = 3
pspds3 = 2
21coryt21 = 2
123123 = 2
annaviv1 = 2
i2345i = 2
pokemaniac = 3
stephanie = 2
google = 2
kiko052500 = 2
5. Passwords used by players are generally WEAK.
Weak = 107 (76.98%) e.g. yonatan
Medium = 32 (23.02%) e.g. samsung770k1
Conclusion
1. People are still using WEAK passwords.
2. If these passwords are stored in anywhere, they should be at least hashed with a industry recognised hashing algorithmn such as MD5, SHA1 etc and salted.
3. You should consider changing your account passwords to at least 12 characters with mixture of alphabets (big and small), and numbers. If possible, include in symbols such as !.$.? etc.
.duststar
Global Maplestory (GMS) leaked accounts
Author duststar | 20.01.2010 | Category Cyber Security, MapleGlobal
I saw this piece of news from: http://forums.asiasoftsea.net/showthread.php?t=753468
Then followed to: http://www.southperry.net/forums/showthread.php?t=22241
It seems like some people had posted a list of global Maplestory (GMS) accounts with password and pin in-clear online. At current point of writing, I can still find this list within 5 seconds on the Internet.
Just read the 20+ pages at southperry forum and someone did “try out” the listof ids and passwords and was able to login. This probably validates that its real data.
Let’s assume it is real.
Here is my ONE and ONLY question. Is the password and pin stored as clear-text in the database?
.duststar
Categories
- blog (2)
- Cyber Security (16)
- MapleGlobal (2)
- MapleSEA (21)
Archives
Calendar
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 | |||||