Was CrakRevenue Hacked?
 

I got this email today:
Our system has detected that your current CrakRevenue password is rather long.
.......

We contact you today, respectfully and kindly, asking you for your cooperation on this. Please kindly change your password when you have a free moment to ensure no future issues!

=========
Now, why should i change my pass since is long enough? Was CrakRevenue database compromised?

I don't think they've been hacked. My understanding is they're migrating to new software or a new system. And the password length limit for this new system is 16 characters. If your password is longer than that (mine was), you'll have to change it to a 16-character one in order for them to transfer your record. Nothing to worry about.

I hate it when people put that sort of thing in correspondence - So creepy:disgust...

In fact it's a really bad email.....

Sounds like a phishing attempt, from someone in Nigeria or Indonesia.

You do realise that the system can't know how long your password is right? The hashing algorithms used dont store the lenght of the password, although they do have limitations of the maximum lenght that it can store. So, whatever the hashing algorithm they used, the length of the hash is THE SAME for a password of 1 char and 100 char.
So in essence, your assumption is stupid.
The OP assumption has more merit.

Anything beginning like that I would be expecting to come from Mr Blessing Mkimbo off of Nigeria.

:(ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ

Anyone checked if the link is nigerian phishing or or crackrev legit?

Maybe they hired Mr Konta Tama MANAGER AUDIT AND ACCOUNTANCY DEPARTMENT to run their tech support?

this :2 cents:

If they know lenght of your password then their database is not crypted..... i hope your password with them is unique in case someone get their hand on database would see your password with decoding anything..

i lik short passwords

lol hopefully .

Hi guys,

No, we weren't hacked, and we're sorry if there was any confusion relating to this e-mail.

We feared some might think 'phishing' so we did make it a point to say we didn't want you to respond with your password, that we weren't asking your password, and we even gave official instructions on how to make the change via CrakRevenue's official website rather than doing it through a link, for those exact reasons.

----------------------------------------------------------------------------------------
Here's the e-mail you received (in original, full context)
----------------------------------------------------------------------------------------

Well, this is embarrassing.

Our system has detected that your current CrakRevenue password is rather long.

We are working on modifying some technical things behind CrakRevenue, mainly on how we store data. And the thing is, your current CrakRevenue passwords exceeds the new allowed password char limit.

We contact you today, respectfully and kindly, asking you for your cooperation on this.
Please kindly change your password when you have a free moment to ensure no future issues!

New passwords must be between 4 - 16 characters max.

Please note, we are NOT asking you for your password.

Please do not respond with your password.

We ask that you head on over to your CrakRevenue Profile (crakrevenue.com/account) and change your password to something shorter. That’s all!

Thanks for your help on this!
----------------------------------------------------------------------------------------

But yep, if you have a longggg password — the "dude don't hack me bro" defcon level-1 kind — you received this e-mail. Passwords exceeding 16 chars will become problematic in a future update. Think of it this way: it's really no different than any other site dictating how long your password must be when you first sign up.

Anyway, sorry for the scare!

:)ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ

You were saying, bro? :1orglaugh

What a weird email.

Yo crak... you realize that in this thread you shouldn't know the length of password unless you store them insecure. . Right?

I was saying what is true and still is.
There is no way for them to know the length of your password in a hashed form. The explanation also makes no sense because the hashing algorithm will just truncate the rest of the chars, if for example it has an input limit (which im not sure which one does other then the old 3DES from the htpasswd days) it just truncates the rest.

For example, if you try to hash a password "12345678901234567890" but it has a limit of 16 input chars, it will hash only first 16 and you can log in with "1234567890123456gjflsagjfksalfjdsaklfjdsaklfjdsak lfsa" if you want, because it will only check for the first 16 chars.

Regarding the email, only other thing that could prompt this is if their input form on website now has a limit of max 16 chars, but it was not like that before. So they have your password hashed with >16 chars, and if you tried to login with the >16 chars password now, the input form would truncate it and send it truncated to the database, which obviously would produce a different hash now then the one stored already in the database and you would not be able to log in.
So yea, they can't know the length of your pass when its hashed.

Ofc, this is if they are hashing them and not storing plaintext :)

"penis" - hope its not too short!

Thanks god it is not the Nigerian Prince.

http://i.imgur.com/cOYuTM3.gif
http://i.imgur.com/utp3AxV.gif

Crak_Eric i know the original, full context email i got few days ago. I was asking something else in this thread:was database compromised? And now there is a new question: are passwords stored insecure? I mean do you really know the length of my pass? Is it true that if you know the length of my pass, the password is not encrypted in your system?
[later edit] P.S.: Nevermind....

Yep they will switch to a new dashboard system! I heard this from my AM.

this :2 cents:

majority are using md5 encryption with/without salt these days so imho theres not much issue about password length here, as the md5 encrption can take any amounts of characters as input and throws 32 char long string.

Hi guys!

As some of you already know, we're currently migrating to a new a platform. The message you received was indeed from us and NOT a hack.

No security has been compromised. We are working on making our old system compatible with the new one and one of the steps is to migrate user credentials into a new setup that has a character limit on the password length.

We have a special decryption algorithm + salt that is transferring all of the information and flagging accounts that have passwords over the new limit.

At no time has your password been compromised or vulnerable.

We're sorry if this scared any of you. The emails went out quicker than expected and our comm team didn't have the time to warn you guys about the upcoming changes.

Remained assured that everything is still koscher.

Cheers!

A whole lot of drama for exactly what now? This is the kind of crap you get when you have so many surfers in a webmaster forum.

So... Your password is? :pimp:1orglaugh

Ok, now this is total bullshit :)
There's no "special decryption algorithms" and the +salt thing also means nothing. You are now just digging whatever you write even more :)

Let me explain you one more thing
Hash = something that can't be decrypted. There is no "special algorithm" on that because it's just that, a hash. It can't be reversed. What it can be done is duplicated. Which would mean that you "duplicated" and hashed words of 16+ password lenght, which is so farfetched its insane to even think about. List of Rainbow Tables shows you the size of a rainbow table that has 1 to 10 char lengths. Im pretty sure you dont have the disk space to store rainbow table for passwords with 16+ chars.
Furthermore, if you were to try to "crack" the hash of a password for a 16+ chars, im also sure you would never ever hit it.

Your remark of "+ salt" also makes no sense. Would have been better if you didnt say anything.

Here's md5 of a password with 21 chars
2061bf778a5cb9d7f72c55b09c46ba87

It's not even salted. Should be no problem no? You can do it fast since you probably have thousands of members when you were able to evaluate how big everyone's password is :)
From your answer i see you dont even understand what a salt is, or what is it's purpose.
Salt is used to make the redundancy on hashes even bigger. For example. "A" will always give a hash of 7fc56270e7a70fa81a5935b72eacbe29, so someone somewhere might have stored that same hash and saved it as "A", and someone might be able to reverse it by finding it, let's say, on google, or running it through hash breaking algorithms. Salt is invented so that each vendor/software platform could make up their own "salt" that could produce a different hash for "A", so that without knowing the salt, you can't replicate the hashing algorithm.
But still, password hashed with or without salt, you CANT KNOW ITS LENGTH.

so you were storing them plaintext?

A good excuse would be to say that on initial choosing of password the system stored the number of digits chosen.

Does it really matter though? This isn't your bank... it's an affiliate program. Crak should just say "sorry"... new system won't store passwords going forward.

I don't care since i did nothing with them, it's just funny how from a simple question they dug themselves with this. The more they write, the more you see something's just not right there.

However, if you think there's no problem with someone knowing your affiliate password, you'd be dead wrong. Maybe not if you're 0 hit affiliate. But someone doing xxx$ weekly would definitely care. From knowing your traffic sources, from possible email intrusion, to switching payment methods.

run the sky is falling

Damage control mode: ON

You just should not start harmless mails with this.

Heh, they saw it's better to let it die.

md5 of 64 character password: 44b0786e70c3c1ce5c8edc4ca77f9819
md5 of 255 char password :e3491d81b6b929e6e45c042cbefc212b
md5 of 16 char password: a74298e4a259759687e3a5acb2e7ae12

Is crakrevenue storing unsecure password?

On the contrary actually.

Crack has stated that they know how long the passwords are (which means they either are storing passwords as plain text in their database, or they have a database schema with a huge security hole). Either way it means their form of password storage is compromised.

They've also now said they have a "de-cryption" method which is complete horse shit. If they're storing passwords with a hash method there's no way to de-crypt them. You can figure out what a password is from the hashed version - but it isn't de-cryption - it's a dedicated "guessing machine" that runs the billions of combinations through the hash function until it finds the match. That's not something they'd have the capacity for.

This, tbh.

Programs DBs get hacked on a daily basis, no matter how big you are.

The question is what they did with it. Just dumped the email list, login infos or injected some custom written shells into the system for future use.