Guntrader uk data breach

[RobF]

From a post on a data breach forum it looks like Guntrader.uk has been breached.

The data that has been pulled out are names, email address, physical address, IP address, phone numbers. Passwords were hashed but not sure if that’s enough to protect them.

If you use guntrader.uk you should change your password and the password on any other site that uses the same one if the hash is unscrambled then your email and password can be used on other sites.

[Shed tuner]

Passwords were hashed but not sure if that’s enough to protect them.

If you use guntrader.uk you should change your password and the password on any other site that uses the same one if the hash is unscrambled then your email and password can be used on other sites.

hashed passwords will protect them (as they can't be reversed/unscrambled - it's a hash, not encryption), but it's still good advice to change them if used elsewhere

[Jesim1]

Thanks for the heads up - it's worth changing a password every now and again just in case anyway

[RobF]

hashed passwords will protect them (as they can't be reversed/unscrambled - it's a hash, not encryption), but it's still good advice to change them if used elsewhere

Unfortunately that’s not the case. They can be brute forced by using a word list comparison. This is particularly true if people have used simple passwords, which is the reason why now a lot of sites and apps ask for more complex passwords.

[Shed tuner]

Unfortunately that’s not the case. They can be brute forced by using a word list comparison. This is particularly true if people have used simple passwords, which is the reason why now a lot of sites and apps ask for more complex passwords.

nah.. I'm being pedantic.. they can brute forced and one can derive a password that matches the hash, that will then give them a route into guntrader.
BUT it will not necesarily give them the actual real password, as multiple passwords will map to the same hash (by design). Thus a password "apple" may map to hash 12345 and that can be used to access guntrader, as it generates the same hash.

However the actual users password was really "orange", which also mapped to hash 12345 (on guntrader).

So if you try and use that users brute forced "apple" password against other sites he uses, it will not work, as the real password "orange" when ran through the hashing on those other website, actually hashes to 78791011 (differnt hash).

None of which really matters to most people, I know ! You are quite right on very simple passwords, as you reduce the chances of the above applying if there are so few variables

[aris]

Unfortunately that’s not the case. They can be brute forced by using a word list comparison. This is particularly true if people have used simple passwords, which is the reason why now a lot of sites and apps ask for more complex passwords.

Yes and no - it depends if they used a SALT on the hash. Still nothing is impossible to crack - just harder. It is bad practice to use the same password across websites anyhow.

The biggest issue here is that someone has a huge list of names and addresses of firearm owners - all available to the highest bidder.

[RobF]

Yes and no - it depends if they used a SALT on the hash. Still nothing is impossible to crack - just harder. It is bad practice to use the same password across websites anyhow.

The biggest issue here is that someone has a huge list of names and addresses of firearm owners - all available to the highest bidder.

This highlights one of the issues of the web.

A while ago when everyone was getting upset with FB and WhatsApp they rushed to an app called Parler in the effort to 'have free speech'. Unfortunately what came with that was a really leaky app which allowed the people's GPS data to be downloaded, meaning wherever they'd taken their phone was available to public view. /feign shock There was a considerable amount of users who all have traces going into the Capitol building. /feign shock off It seemed to be a predictable Venn diagram.

I've also been asked for ID (passport and license) on Egun.de , who then said they'd then check with their authorities as to the authenticity. When I asked them who that was, how the data would be stored, transmitted and how I could control it, how it complied with GDPR, they deleted my account. That shows the flippancy of some sites towards security. Like I was going to scan my passport and license to a different country across the open internet and that would be fine. If it wasn't a set up for a scam then it's ripe for a rip. Their privacy policy has been since updated but it's really wooly still.

[Geezer]

This highlights one of the issues of the web.

A while ago when everyone was getting upset with FB and WhatsApp they rushed to an app called Parler in the effort to 'have free speech'. Unfortunately what came with that was a really leaky app which allowed the people's GPS data to be downloaded, meaning wherever they'd taken their phone was available to public view. /feign shock There was a considerable amount of users who all have traces going into the Capitol building. /feign shock off It seemed to be a predictable Venn diagram.

I've also been asked for ID (passport and license) on Egun.de , who then said they'd then check with their authorities as to the authenticity. When I asked them who that was, how the data would be stored, transmitted and how I could control it, how it complied with GDPR, they deleted my account. That shows the flippancy of some sites towards security. Like I was going to scan my passport and license to a different country across the open internet and that would be fine. If it wasn't a set up for a scam then it's ripe for a rip. Their privacy policy has been since updated but it's really wooly still.

This sort of thing is why I’m getting increasingly Luddite/paranoid/sensibly careful about all things internet and phone.

It’s amazing how many people don’t understand that most “free” stuff on the net is only “free” because the user is allowing their data to be harvested.

[RobF]

This sort of thing is why I’m getting increasingly Luddite/paranoid/sensibly careful about all things internet and phone.

It’s amazing how many people don’t understand that most “free” stuff on the net is only “free” because the user is allowing their data to be harvested.

A healthy dose of skepticism is a good way to stay healthy on the internet.

[I. J.]

Thanks for the heads up - it's worth changing a password every now and again just in case anyway

I used BEEF STEW but it wasn't stroganoff.

[Shed tuner]

I used BEEF STEW but it wasn't stroganoff.

speechless... even by your standards...

[rapidresponse1]

there is always some one who will crack things like passwords

[angrybear]

Had an email from guntrader this afternoon, it says personal data has been accessed but NOT passwords or bank details.

Shame the time was 16:34 an hour after BASC sent me a warning email & more than 7 hours after this thread was started

[RobF]

Had an email from guntrader this afternoon, it says personal data has been accessed but NOT passwords or bank details.

Shame the time was 16:34 an hour after BASC sent me a warning email & more than 7 hours after this thread was started

Firefox is reporting Passwords and IP are part of the data. I don't know if the system has the ability to determine if passwords are hashed or not. The release I've seen says it contains hashed passwords.

[bighit]

Firefox is reporting Passwords and IP are part of the data. I don't know if the system has the ability to determine if passwords are hashed or not. The release I've seen says it contains hashed passwords.

Rob.

Saw this earlier
https://www.fieldsportschannel.tv/hi...hat-to-do/amp/