Snott

Category: Announcements

News and updates from Snott

  • WineHQ database hacked!

    WineHQ database hacked!

    The WineHQ website reported to all of it users today about a security breach, and reset everyone’s passwords to avoid more harm being done.

    The hackers took advantage in a vulnerability of phpmyadmin, a utility used for managing databases and users.

    Here is the complete announcement posted in the mailing list:

    Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility.  We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted).  But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla.  This means that they have all
of those emails, as well as the passwords.  The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.

We are going to be resetting every password and sending a private email
to every affected user.

This is again another reminder to never use a common username / password
pair.  This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/

I am very sad to have to report this.  We have so many challenges in our
world today that this is a particularly painful form of salt for our wounds.

However, I think it is urgent for everyone to know what happened.

Cheers,

Jeremy
  • Heroes of Newerth now FREE to play
    Heroes of Newerth now FREE to play
    Yes, S2Games have officially announced that their flagship game, Heroes Of Newerth, no longer will have an account purchase structure, now you can download the game for FREE, create an account and start playing right away!
    Those of us who purchased the game before will have a premium access to heroes and will get the entire hero pool for free. If you just created the account then you will have limited access to some heroes and would have to buy access to some of them, they have to win money you know…you can download the game from the hon official website.
    Here are the types of accounts offered now
    • Basic: The standard, free account new players will receive upon sign up.
    • Verified: Basic accounts that have been upgraded by either purchasing Goblin Coins or surpassing a certain threshold of play time. This allows them to take part in Verified Only games.
    • Legacy: Paid user accounts that existed before the free-to-play model. These accounts receive a lifetime of free access to all HoN heroes and are able to play in Verified Only games, why is that? because some people hate playing against beginners and prefer to get better, more seasoned opponents, so this will separate them
    You can get more info on this new structure by going here.
    You can watch a preview of the game, download and installation instructions for Linux and Windows by going to my previous hon post.