Hookers.nl breach: cracking 57% of the passwords in three days

The weakness

Hookers.nl uses commercial forum software named vBulletin. This software package exists since 2000. The current version — as used by Hookers.nl — is 5.5.4. On 23 September a so called 0day exploit was posted on the ‘Full Disclosure’ mailing list. A 0day is a weakness with no known fix. This specific exploit worked against all 5.x versions of vBulletin. This meant that all installations of vBulletin 5, on a global scale, could be hacked.

The hack

Using off the shelf scanning tools, it is easy to perform an automated global inventory scan. Within hours to days, all websites worldwide can be queried to see if they are running vBulletin 5. If they do, the 0day exploit can be launched and the forum’s underlying database content can be stolen. Hookers.nl was hacked this way on 25 or 26 September 2019, probably fully automated. The Hookers.nl dataset we have received contains 292,853 user accounts. We assume that the data is genuine but cannot guarantee correctness nor completeness.

The impact

Hookers.nl is a public forum. A lot of data can be accessed anonymously: confidentiality of posts is not an issue. Posts are made using nicknames. Most users assume that they can post anonymously. However, with access to the database content it is possible to link a nickname to the email address that was used for registration. In many cases the email address can be related to a person. Those users might be blackmailed: ‘pay us or else..’. The raw database contains all information a blackmailer needs, in unencrypted form, including emails and IP addresses. This is not specific to Hookers.nl; the vBulletin software just works this way. Plain text user passwords are not stored: instead a so called ‘password hash’ is used.

The password hashes

As a password breach notification and prevention service, Scattered Secrets is interested in the plain text passwords of data breaches. So how do we crack the Hookers.nl password hashes?

Results

With limited effort and basic attack techniques we were able to crack 154,653 legacy (64%) and 11,675 bcrypt (24%) passwords. This makes a total of 166,328 out of 290,871 (57%). The top 35:

  • Cracked accounts include— among others — users from domains of Dutch governmental intuitions like the department of defense, foreign affairs and law enforcement.
  • Analysis of IP addresses shows that many of those users visit Hookers.nl from work.

Final words

The hack of Hookers.nl got a lot of media attention because of the sensitive nature of their data. Many other services using the same forum software also got hacked. In the case of this specific vBulletin exploit, forum owners had no way of protecting themselves since there were no updates available. As a result, your personal information might be stolen elsewhere as well. With market prices of recent datasets including Hookers.nl as low as a few Euros, the data is within virtually anyone’s reach.

data of various hacked vBulletin forums available for download

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store