[X] My Assistant

[www.south-plus.net] do you know someone called E4？ He has built a personal copy of the EH website which often change the domain name.Did you use the register account on it same as EH using?

No idea for that. I always use bookmarked EH. Rarely use search engine or random links.

What is 10B means (IMG:[invalid] style_emoticons/default/huh.gif)
Well actually quite a lot.

Surely I miss a lot here but here is the most visit list:
[bbs4.2djgame.net] https://bbs4.2djgame.net/home/forum.php
[moeshare.com] http://moeshare.com
[www10.eyny.com] http://www10.eyny.com/forum.php
[www.9moe.com] http://www.9moe.com/index.php (AKA KF in China)
[bbs.sumisora.net] https://bbs.sumisora.net/
[yande.re] https://yande.re/post
[www.tsdm.me] http://www.tsdm.me/forum.php
[nyaa.si] https://nyaa.si/
[sukebei.nyaa.si] https://sukebei.nyaa.si/
[www.south-plus.net] https://www.south-plus.net
[bbs.kdays.net] http://bbs.kdays.net/index

So now I gonna change a bunch of passwords, that a lesson for me. (IMG:[invalid] style_emoticons/default/cry.gif) (IMG:[invalid] style_emoticons/default/cry.gif)

I do recall that 2dj had some leakage with their user database few months ago.
(IMG:[i.imgur.com] https://i.imgur.com/aTtxQF0.png)

The dialog means: The site is closed due to security issue. Please don't do wire transfer to the admins or anyone. Please change your password if you have the same password for other sites.

...
Tried these thing with my EH account as well:
[github.com] https://github.com/seven332/EhViewer
...

I've used EHViewer aswell. It got an update about 12 days, last time it was updated was over 6 months ago. Could that be it?

Could that be it?

Yes, totally. The "remove redundant trailing whitespace of tags when parsing gallery detail" commit is just a secret way of saying "steal everyone's shit."

(IMG:[invalid] style_emoticons/default/rolleyes.gif) (IMG:[invalid] style_emoticons/default/rolleyes.gif) (IMG:[invalid] style_emoticons/default/rolleyes.gif)

I've used EHViewer aswell. It got an update about 12 days, last time it was updated was over 6 months ago. Could that be it?

But I've never used EHViewer.

Regardless of the exploit used, you should probably use a password manager (eg [keepass.info] KeePass or [bitwarden.com] BitWarden) to store/generate your passwords anyway.
Most modern password managers offer browser integration via extensions, which make them very easy/convenient to use.

...

>Password Manager
No thanks (IMG:[invalid] style_emoticons/default/tongue.gif)

deleted

This post has been edited by jy-laji: May 22 2018, 04:48

I don't particularly suspect EhViewer. Decompiling the released APK didn't reveal any smoking guns, and if at least one person wasn't using it, it probably isn't the culput. Still, it would be interesting to see how many of the compromised people were using it.

I think some infosec experts are laughing hard right now. Actually, no, I don't think so. I'm sure of it.

Why bother with elaborate scams when all you need is a simple domain people will mistype and blindly trust because they don't know they can simply use hardcoded IPs (immune to [en.wikipedia.org] DNS poisoning) and bookmark them?
Yes, the wiki can also be vandalized, but certain articles require elevated rights. Yes, the wiki database can be hijacked. Yes, the Internet can die. Yes, it's possible to win a mahjong hand on the very first draw consisting of no less than six different yakuman with regular rules.

If the domain is more convenient, then whois the domain. And bookmark it. And if you had a one-year-long session and cookies on a domain and somehow, it looks like you're being asked for your credentials again (and you're not in privacy/incognito mode), then you are not where you think you are. Check the address bar.

It's as easy as tagging. Type tag. Check own taglist. See extremely low usage. Go what the fuck, go back. Facepalm at own stupidity. Remove tag. Problem caused by self and solved by self!
(The taglist step is optional if you have decent eyesight and/or you aren't dyslexic.)

This post has been edited by AgentLillian: Jan 9 2018, 19:20

I'll just throw in my two cents and let others know I haven't been affected by any malicious attack on my account or session (though I have not been on Hentaiverse in almost a month).

The scripts I typically use for reference are the following, so it is most likely that these ones are safe to use:

1. Hentaiverse Monsterbation
2. HV - Battle Stats EX
3. HV Crunk Juice
4. Offset Screen to the right (Custom script a user assembled for me to center the screen properly instead of it centering to the left of the window whenever I open the game in a new tab instead of a pop-up window, which is how I usually play HV. It doesn't always work correctly though and I think it breaks after the 1st wave for some reason, though this doesn't affect the battles themselves.)
5. Reloader

I use no scripts or addons for the regular site.

And things would get interesting if those get breached.
Anyways, I generate long random passwords, pick one for each important account, and save them in txt in a password-protected 7z.

KeePass has been audited by multiple independent parties (including Google Project Zero and an European FOSS commission) and is not cloud-based; if someones manages to breach your database, you probably have a lot of other stuff to worry about.
I haven't tried the other cloud-based one, but it's open-source and they have a HackerOne program to find potential vulnerabilities, so it's better than its competitors as far as I'm concerned.

I'll stop the (most likely pointless) rant since this is really not the right place to discuss password managers.

The scripts I typically use for reference are the following, so it is most likely that these ones are safe to use:

1. Hentaiverse Monsterbation
2. HV - Battle Stats EX
3. HV Crunk Juice

these are all safe to use, afaik. i trust sickentide (both Monsterbation and CrunkJuice) and i'm pretty confident that Battle Stats EX would've already been reported by now if it had something wrong in it.

4. Offset Screen to the right (Custom script a user assembled for me to center the screen properly instead of it centering to the left of the window whenever I open the game in a new tab instead of a pop-up window, which is how I usually play HV. It doesn't always work correctly though and I think it breaks after the 1st wave for some reason, though this doesn't affect the battles themselves.)

this, i cannot say anything. but especially if short, i wouldn't mind this one particularly.

5. Reloader

this, i suggest you to remove it since:
1. if nothing else, this is broken since quite a while
2. even if working, it's redundant at best and dangerous at worst (botting measures have been reviewed, and Reloader doesn't comply anymore).

NB: its successor, Monsterbation, has been carefully designed in order to fulfill such requirements, so while we're at it i invite all people with Reloader or customized versions still installed on their machines to uninstall them and switch to Monsterbation

I'll stop the (most likely pointless) rant since this is really not the right place to discuss password managers.

It's a shitty thread anyway. Don't let it get to your head, tiap; that was useful information, and the thread is soon going to become Russian levels of diminishing quality.

(Not linking to it because now under RKN control, RKN-chan best dominatrix.)

I think some infosec experts are laughing hard right now. Actually, no, I don't think so. I'm sure of it.

Why bother with elaborate scams when all you need is a simple domain people will mistype and blindly trust because they don't know they can simply use hardcoded IPs (immune to [en.wikipedia.org] DNS poisoning) and bookmark them?
Yes, the wiki can also be vandalized, but certain articles require elevated rights. Yes, the wiki database can be hijacked. Yes, the Internet can die. Yes, it's possible to win a mahjong hand on the very first draw consisting of no less than six different yakuman with regular rules.

If the domain is more convenient, then whois the domain. And bookmark it. And if you had a one-year-long session and cookies on a domain and somehow, it looks like you're being asked for your credentials again (and you're not in privacy/incognito mode), then you are not where you think you are. Check the address bar.

It's as easy as tagging. Type tag. Check own taglist. See extremely low usage. Go what the fuck, go back. Facepalm at own stupidity. Remove tag. Problem caused by self and solved by self!
(The taglist step is optional if you have decent eyesight and/or you aren't dyslexic.)

Since you mention DNS poisoning, I use nslookup command on my computer to check it (e-hentai.org, hentaiverse.org, and one site can't be mentioned here), and it returns correct results.

Yup. Then it's not DNS poisoning. However, your DNS will still resolve fake domains. Perform a whois and DNS lookup for the two random domains blue penguin mentioned while "shooting in the dark" for leads (pay attention to his post's details)...

Shot in the dark. [console log]
Does anyone here type the EH address into the address bar?

Still waiting for people to answer that simple question - as well as the implied one: did any of you visit those malicious clones?
No one will call you dumb over this if you admit it (if they do, just shrug it off); admitting to one's mistakes is something worth a lot of praise because less and less people do that nowadays. Not even the current president of the United States of America.

If someone typed that and entered their credentials in there, you just gave away private information and it has nothing to do with EH: that would be like typing gogole dot com and blaming Google for the "security breach".

This post has been edited by AgentLillian: Jan 9 2018, 22:42

I think there's no need to make fun of them (at least, not until we find out how they were hacked).

DNS poisoning is unlikely with modern browsers that have ever visited the clean site and are now revisiting it over a malicious network, because of HSTS. Tenboro, note that the intent of preload is [hstspreload.org] not met.

Typo squatting is possible, but I don't see any reason to suspect the sedo parked domains any more now than in the past.

I'd still lean towards password reuse. And skunkzes has highlighted one possible hacked site above.

You almost surely already do this, but start out by only giving out a real email address when there's a legitimate need for the site to know it or for you to access the site long-term (and you care about your unique account), otherwise I'd use a random disposable one just to get you past the registration process.

I actually haven't been doing this, because the current service I'm using makes it easy enough to issue a unique email address everywhere, and I can painlessly revoke it if necessary. Sometimes, I don't know if I'd need to be contactable long-term until later.

Another reason for me to use unique email address per site is precisely because I can detect leaked user databases when I see spam coming via that email address. Sneakemail has been perfect for my use case, but it seems to be a fairly niche product.

This post has been edited by mozilla browser: Jan 10 2018, 08:42

Yup. Then it's not DNS poisoning. However, your DNS will still resolve fake domains. Perform a whois and DNS lookup for the two random domains blue penguin mentioned while "shooting in the dark" for leads (pay attention to his post's details)...
Still waiting for people to answer that simple question - as well as the implied one: did any of you visit those malicious clones?
No one will call you dumb over this if you admit it (if they do, just shrug it off); admitting to one's mistakes is something worth a lot of praise because less and less people do that nowadays. Not even the current president of the United States of America.

If someone typed that and entered their credentials in there, you just gave away private information and it has nothing to do with EH: that would be like typing gogole dot com and blaming Google for the "security breach".

Why would anyone know that is a clones but still type their info on it????
We have no idea which part had gone wrong and that is the question we want to ask and solve the problem in the future.

Okay, back to the question. Here is using google DNS 8.8.8.8, and all the EH URL look legit.

The email I use to register forums were separate between countries. Not to mean that I never reuse email address but for random forums all I use are some email account which I can live without and have no important stuff in it.

Okay, actual answer. Only Tenboro knows and now returned your hacked sheckels.

Problem solved. Please be careful next time.

This post has been edited by AgentLillian: Jan 13 2018, 01:33

Anyhow. I ran a script to reverse the mooglemail transfers from the hack. Note that this won't show up in the credit logs and balances may not update until you do something that forces a refresh (say, sell/buy 1 hath).

Try not to get hacked again.