From Jon "AgmLauncher" LeMaitre, co-owner and general manager of GameReplays. As of May 28th, the GameReplays member database was breached, and approximately 5000 emails and encrypted passwords were leaked. On May 27th, an Anonymous affiliated hacker by the name of ecECus sent the following email (in Spanish, mind you ...):
The Following Enquiry to GameReplays WAS submitted on 27 May 2012 7:42Name: _ecECus_Email: [email protected] Que tal, el motivo de este contacto con ustedes es para informarles que tienen una importante vulnerabilidad de SQL en su pagina, afortunada o desafortunadamente me tope con esta falla en su pagina.. como han de saber se puede ver toda la información de los usuarios Registrados así como TODA! su base de datos.. ("gamerp_gamerp"), iP's, etc.. no creo que eso agrade a los suscriptores.Mi ideología no se apega a hacer el mal usando mis conocimientos, al contrario les informo que tienen ese error para que no caigan en manos de lamers y la información de cada usuario registrado quede al descubierto.. espero que pronto arreglen ese fallo..We Are AnonymousWe Are LegionWe Don't ForgiveWe Don't ForgetExpect Us!Un Cordial Saludo.. un agradecimiento en su pagina no estaría nada mal..
Roughly translated, he says he found a vulnerability with GR's database, but that his intentions were not for evil. He simply wanted to alert us of the problem so that we might have a chance to fix it, before anyone does anything malicious. He also kindly asked for some credit to be given for discovering the issue. Ok, fair enough! Sounds great right? Fast forward about 24 hours later, and what shows up on the internet? A dump of about 10,000 GR accounts, released by who? ecECus; the same guy who claimed his intentions were not evil. Given that he sent the email in Spanish, and I was out celebrating Memorial Day weekend, I had no chance to address his email and thank him for alerting us to the issue. Because I was not able to respond to an email (written in a language I don't know), within 24 hours, he decided to go ahead and give himself credit for the hack. (update: and then do it again later today). So to recap: 1. On the 27th I get an email, in Spanish, alerting me of a vulnerability. 2. The email claims that he is simply giving us a friendly tip and means no harm. 3. The email divulges absolutely no details that would actually help us determine where the vulnerability is, or how to exploit it for ourselves in order to protect against it. 4. This person wants credit for "helping" us. 5. On the 28th, he goes and releases personal information from GR's database on the web. 6. On the 29th (today), he does it again, still no useful information that would actually help us fix this vulnerability. Further, GameReplays only has about 35 hours/week of development time available to it to create new features that the community wants and needs. I personally commit 15 hours per week on top of my regular 45 hours/week job. The other 20 hours is generously contributed by the rest of our coding staff (namely subroutine, -null-, Forlong, and Kustodian). At present we are using that very limited coding bandwidth to develop a new framework that will help us create new features more quickly and easily. The framework is done and ready for development, but since ecECus has decided to hack GameReplays and make his results public, we are forced to stop development of features like the VoD system, tournament system, and many others, just to figure out where this security vulnerability is. Ironically, GameReplays fully appreciates the efforts of Anonymous in their role of helping to keep governments and corporations honest. Various acts from the US government such as PROTECT-IP and many others, are a direct threat to the existence of GameReplays. Anonymous has been helping to expose the corrupt links between corporate lobbying and various governments which threaten the very nature of the web. Sadly, there are people like ecECus who give Anonymous and other hackers a bad reputation, since his goal isn't to help, but rather, to be immature and stroke his own ego. As such, we invite anyone who ACTUALLY wants to help, to hack GameReplays and give us details about where our vulnerabilities are. Rather than making them public, they can be sent to us through our Contact form, or we will even create a special forum where security vulnerabilities can be discussed. Unfortunately, because we have such limited development resources, we cannot do this alone. Therefore anyone who helps us will be given due credit. We would like to apologize and let our members know that no truly sensitive information was stolen, but the emails of about 10,000 members have been exposed. We will be sending out PMs and emails notifying those who have been compromised. Once this vulnerability has been fixed, we will re-salt everyone's passwords and take extra steps to make sure everyone's accounts are more secure in the future. Sincerely, Jon LeMaitre Co-Owner and General Manager GameReplays.org as from here