Hadn’t seen this posted, but for anyone who uses Trading Paints in conjunction with iRacing you need to go in and change passwords NOW!

There was a leak of 270,000 accounts with emails/passwords in md5 format (easily reversible to plaintext)

If you use the service make sure to reset your passwords asap and if you use the password shared on other services you should make sure to change it as well

    • BURN@lemmy.worldOPM
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Seriously. MD5 is in no way secure. At the very minimum it should have been encrypted with an algo that isn’t already broken. Pretty disappointed in the TP devs TBH. That’s not an oversight, that’s a complete and utter disregard for the safety of their users information

      • mranderson17@infosec.pub
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        What’s crazy is that I think this service was developed after md5 was shown to be widely compromised (2011-2012). Not 100% sure though, I wasn’t able to find an exact release date.

        • BURN@lemmy.worldOPM
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Even so, after it was cracked that should have been the #1 priority to fix. There’s absolutely no way it’s acceptable that they haven’t fixed it 10 years down the line.

          • Designate@lemmy.mlM
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Unfortunutly there is no other service like it so they can afford to be lax cause you know. Who else is going to do it? Be interesting if someone does get compromised and given the clear lack of effort in properly securing the personal data if they attempt to seek damages against TP

        • BURN@lemmy.worldOPM
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          That’s my go-to for any password encoding

          Hopefully this gets iRacing to open up their oAuth portal to external apps and someone can develop something more secure.

          It really shouldn’t be that hard. It’s an account management and CDN software, it honestly can’t be that hard to build a properly hardened version

    • BURN@lemmy.worldOPM
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Not even the bare minimum of effort. It’s really disappointing.

      A first year CS student knows better than to md5 hash passwords, let alone without a salt