Hacking forum Nulled.io gets taste of own medicine

18 May 2016

Online hacking forum Nulled seems to have got a taste of its own medicine. Security experts say that the forum has been breached, with the content of more than 800,000 messages and the account information of 536,000 registered users now a few clicks away from ordinary internet users and law enforcement agencies.

The Nulled.io forum – with the tagline "expect the unexpected" – served as a clearinghouse for leaked information after other sites were breached.  Now, someone has done to it what it did to others.

It's unclear who's behind the hack, which reportedly captured the site's full database, potentially including many documented instances of criminal behaviour.

Invoices, payment information, encrypted passwords and IP addresses are included in the haul, along with the board's 2.2 million posts, including those behind a "VIP" paywall.

The tech firm Risk Based Security reported the breach last week, after the information reportedly was leaked on 6 May. Online security expert Troy Hunt, who maintains the victim-alerting hack monitoring website haveibeenpwned.com, later confirmed their reporting.

The leak is believed to be made possible by known security flaws in the site's software.

Nulled.io currently is offline, with a homepage messaging citing "temporary unscheduled maintenance."

Another online forum meanwhile is serving as sounding board for anxious victims.

''Wow, this is crazy. I didn't expect this to happen. How is this even possible. I thought that Nulled site was really well protected,'' one commenter wrote on leakforums.net. ''I am also concerned because I have an account there.''

''Mom [expletive] hold me, I'm scared,'' another confided on a thread with hundreds of user comments.

''Man, is this [expletive] for real? I have a account there!'' another wrote. ''[Expletive] I need to check if I'm in here,'' a user wrote in an observation submitted repeatedly.

Not everyone on that forum was upset. Others seemed eager to cannibalize their crime-minded community.

''Some fresh meat, finally,'' a user beamed. ''[N]ice, will come in handy,'' another person typed.

Though leaked account passwords are encrypted, Ars Technica reports they may now be unmasked.

''The passwords appear to be protected by MD5, a hashing algorithm that's woefully inadequate for storing passwords because the underlying algorithm is so fast,'' Ars Technica's Dan Goodin reports. ''The hashes observed by Hunt have cryptographic salts attached to them, so it's possible the MD5 hashes were iterated enough times to make mass cracking impractical. Either way, it's surprising that a hacking site that counselled users to expect the unexpected didn't rely on a more secure hashing function.''

A more serious concern may be a user's IP address or PayPal account being tied to criminal conduct.

 ''By simply searching by email or IP addresses, it can become evident who might be behind various malicious deeds,'' Risk Based Security explained in a blog post.

A data dump also has the potential to cause more than embarrassment for some sexual fetish forum members.

 ''As you can imagine, this can lead to significant problems for forum users. If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any 'suspects' under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.''

''RIP those who are mean and hack websites for no reason,'' one commentator wrote.