Urgent news. Apparently there has been a password leak at xCPPS. We found a link on xCPPs’ website, a text file which had hundreds of passwords of registered accounts to xCPPS, some of these passwords were encrypted, however some were not.
This link was an open link on their website, anybody could have visited this page and copied everything. We have no idea who could have downloaded it. (the link has now been removed, however it was up for several days) These accounts are from before xCPPS extended downtime. (before all of the accounts were deleted) It includes the account name, the account’s password, the penguin’s color, the email address it was registered on, and the user’s IP address.
What we are concerned about is that some of the passwords in the file are not encrypted at all. Could this have happened because some could have ”slipped” through the encryption process, or possibly did they purposely turn off the encryption? The majority of the accounts on the list are however, encrypted.
Here’s an image of what just part of the text file looks like: (I blurred out the personal information)
Don’t think that even if your account’s password is encrypted, that your account is safe. xCPPS uses an MD5 encryption, which is a very common encryption method, and I found that if I ran the passwords through an MD5 Decrypter, around 2/3 of the time it will successfully decrypt a password. So even if your account is encrypted with MD5, your password isn’t always safe. What we need to do to ensure that account passwords cannot be retrieved is to enforce a harder encyrption method, such as SHA1, which is harder to decrypt.
What I am also wondering
Should I be worried? If you registered at xCPPS before the accounts were all deleted, (or before the long downtime) and you also used a password that you use for other things, then I would definitely change your passwords. If you used a password which you do not use for anything else, then you are safe.
This is another reminder to always use a password that you have not used before when registering for private servers!