How do password trading sites get the passwords?
 

Several passwords were traded for my partner's site and he ended up with over $1000 in bandwidth overage fees. All the passwords were legitimate passwords in the htpassword file, created on very different dates from IPs in different countries, so we're wondering how the hell those fuckers got the passwords.
Anybody knows?

They sometimes hack your server. Members share them, etc. But you gotta pony up the money to have a proxypass or phantomfrog to keep these jerks from eating you up. It is well worth it.

Teencat would know.

Plus he should be protecting his server for multiple logins, ask around. Several good options

Brute force with proxies using word lists is one way.

Do your self a favour and get Strongbox. Could have saved you the $1000 overage!
They will also upgrade the encryption (if you ask them) to make the password file much harder to hack ;-)
Speak to Ray Morris, Raymor on here I think.

is your partner using some sort of protection like strongbox?

:thumbsup pretty common for the script kiddie crowd

It's say by itself.... they trade it! :P

Of course every case is different but mostly people really sign up and either download the entire members area to upload it on torrents etc or they publish the login on a password forum. Mostly because they want to be cool or keep a good reputation on these forums.

i dont feel sorry for companies that still use htaccess and pennywize, its their own fault.

Hack attempts at your server is the most common I would say based on what I've seen. We implemented a lot of different ways to help prevent this on our backends including when a login is used from more that X number of IP's they get disabled. This will fix most of the overage problems, since when a password is shared on most of this shit sites you'll see a flood of logins with the same user from multiple IP's within a matter of minutes/hours.

Often times though you need to be aware that a legit member could be effected so you need to change their user/pass and get it to them ;)

Also be aware that if you offer a free or low cost trial there is a greater chance that the password is bought just to share with their group. Keep your eye on those ;)

rich people buy memberships, they share maximum with close friends. nobody is sharing his own membership in public, not anymore. all logins are hacked, from database, from emails, or from pay gateways. if you see traffic on your logins, put the login into google and see how much results will show up. if no login, mostly you are hacked, check your database and server logs and so, fill the holes. if you see hacked combos in google, paying owner is using the same combo to every site he buy. all is going from private, hacker are hacking databases, some rats are stealing the databases and put them public, there some self called hackers runs machines with proxies and trying to use the combos to every site where it is possible. so, at the end, it is fault of the site that it is opened, hacked, or it has low security, and having low security today is like sharing your password in your sig. enjoy, i mean, have luck :)

You can read more at https://www.bettercgi.com/strongbox/passgen/ and when you are done reading have your friend get Strongbox. It will be the best $159.00 he will ever spend.

Ding, ding, ding. Brute force is so 2001. :1orglaugh