Italy’s Most Prominent BitTorrent Site Hacked
Written by enigmax on July 29, 2009TNT Village, Italy’s most prominent torrent site has been compromised by hackers. Intimate details of the site’s operations including 50,000 usernames, passwords and email addresses have been leaked out onto the Internet. The site has taken precautionary measures but concerned users should change their passwords immediately.
One of the problems with running a website or any Internet presence is the constant threat of malicious attacks. Almost everyone will recall the terrible mauling experienced by MediaDefender after their confidential emails leaked onto the Internet, and since then many anti-piracy groups and related companies have felt the wrath of hackers.
But of course, being hacked isn’t the sole preserve of these organizations, it can happen to file-sharing sites too. In November 2008 a hacker tried to gain control of Torrentz.com and at the beginning of June NowTorrents had its own problems.
Today we bring news of another sizable hack, this time affecting Italy’s most prominent BitTorrent site, TNT Village. A hacker targeted the 50,000 member site and made off with the site’s database.
The admin of TNT Village explains: “A son of a bitch was able to discover my password. With it in recent days he has removed the TNT database. I then proceeded to change my password but in the meantime he/they had taken some sensitive data to users, and yesterday they were made public.”
Indeed, a torrent of the stolen data has appeared on various BitTorrent indexes. The data contained within is largely in Italian but a source with an interest in security breaches told TorrentFreak that the archive contains very sensitive information.
The site’s database schema, the actual database with around 50,000 usernames, passwords and emails, a list of site donors and private messages have all been leaked.
The site has taken steps to limit the damage but concerned users should change their passwords immediately, at the very least.
Previously: Pirate Bay Sale Dead in the Water
Next: BitTorrent Behind the Scenes: isoHunt
72 Responses
Why should anyone change anything? Do they have something to hide? Isn’t Bittorrent perfectly legal expect for a few lawyers, lobbyists and judges that do not understand that?
Of course such databases are much safer in the hands of people that got convicted to 1 year in prison.
Why the panic?: of course, obviously seeing as nobody was breaking the law, everyone should be ok with their usernames, passwords, and emails being leaked over the internet.
You obviously don’t have anything to hide, why don’t you post your email and password too?
@ Why the panic?
I suppose you don’t have anything to hide, ok? What about sending me your credit card number? :)))
I hacker shouldn’t be able to guess a admins password…
Why don’t people (and especially admin!) make a good and strong password ?
Can we get word on if the database contained proof that certain users uploaded certain torrents? If that’s in there, along with their email address and password, those members are pretty much screwed assuming a media outfit downloads the torrent and uses it against them (though would it count as evidence, as it’s illegal itself?)
@1 & 3
They should at least change their passwords so that their other accounts don’t get hacked… assuming they use the same password for everything.
@1
No, of course no one has anything to hide. That’s why law-abiding people shouldn’t be worried when government-controlled security cameras are placed on every corner… or when National ID cards become a requirement to buy food… or when getting Chipped is a requirement to be a citizen.
No law-abiding citizen has anything to hide, so why bother with privacy laws at all?
@1,3
Fail.
@6
Hear, hear :)
Well, hope those members don’t get caught by the Copyright groups.
User databases and bank accounts are sensitive data if which falls into the wrong hands can create a disaster.
@6
I agree.
illegally obtained data is not viable as a source of evidence in court.
A good user-database should be constructed in such a manner that nobody can see the users’ password not even the admin
If they would have done that their wouldn’t have been a problem so a big FAIL for TNT village
@ all those who think this isnt a big deal:
1. Spamming companies wuld love to get a 50k mailing list
2. Alot, i mean ALOT of people use the same u-name/pass combination for alot, anyone could steal / hack any sensitive info..
3. How about info in the PM’s send?
Oh and @11
U’d talk about encryption, and as far as i know, most passes are easy to crack (using either brute force/dictionary attack), it most of the time depends on how long the pass is…
It depends on the country LoL
But from what I hear about Berlusconi it may not matter how the proof was obtained :)
THEY DID NOT STEAL ANYTHING; THEY ONLY MADE A COPY!!!
come on guys, why make a difference between stolen movies and stolen personal details. Don’t blame people for thinking it’s OK to steal the latter when the entire world also thinks it’s OK to steal movies…
whats the name of the torrent
whats the title of the torrent
good job unknown hacker…now people are really talking alot of nonsense…read some above posts
16 your right but people will complain because they are now the victims and not the record or movie industry people who download are the worlds biggest hypocrites.
1 a person who puts on a false appearance of virtue or religion
2 a person who acts in contradiction to his or her stated beliefs or feelings
in other words its ok to share music movies games or programs but its not ok to share something that belongs to you!!!
Fail at the admins for not changing up the default password encryption scheme. I thought all torrent sites knew to change the php files to encrypt/decrypt the passwords with more than one encryption method + salt. The hacker didnt get any php files and all attempts to brute force or crack using rainbow tables would have failed. But nooooooo, some highschool rich kid decides to untar a tracker file and photoshop a few logos and suddenly everyone is in trouble.
Fail @ the admin, and a big heads up to all you other wannabe admins out there. Use secure passwords, 10 chars or longer, upper and lower case with numbers and symbols if you can remember it. Dont use common words either. My god in this day and age you’d think people would be smarter about this sort of thing.
Users could have protected themselves the same way by using long and complicated passwords that can’t be cracked.
Just an example of a collection of epic fail all meeting at a perfect intersection, where a colossal fail is born.
Sweet baby jesus.
@12
Of course all passwords are easy to crack in theory. But a salted MD5 hash can take years to crack. At the very least, a simple MD5 hash of the password should be stored instead of plain-text. I don’t know what the hell these guys were thinking.
Oh and the main reason that this is a major problem is because most people use the same password for their email, social networking profile, bank account, etc.
@jemoer
@Jorge
and all the others: the password ARE encrypted! Only way to decrypt them is with brute force and hoping that some users chose a weak password. This is the main reason for which password change is strongly recommended, NOT because pwd db was not encrypted.
profilazation is the problem…
the password are the less important issue here, while nickname/email pair are very valuable!
well, at least for me… I had a 20 char long password… now 21 :P
LOL at the big brave trolls suddenly they’re out in force
what happened to you bed wetters, when this article was posted
Copyright Group Prosecuted For Failing to Pay Artists….
well?
sharing bought music is not the same as publishing stolen secrets.
don’t tell me that you don’t know that.
but yeah, everyone is sharing files.
this story is made up !
something stinks about i, starting from the password thingy !
and yeah i see in the pic the sql db is 52 mb o!0 any idiot can know that a site with 50.000 members like TF said would have much bigger sql db !
well maybe it’s the way of TNT Village of saying goodbye !
The torrent name is: “TNT VILLAGE DATABASE AND PRIVATE TOPICS”
@11
you don’t save an encrypted password in the DB, but an hash…
sorry, my previous post was for 12 and not 11
52 mb of “plain text” is nothing in comparison to total of tnt users. More of row of those file are: insert into (field, field….. ). In conclusion the very data is very poor.
@5: sarcasm detector fail?
Sorry, that was @7
As usual the pirates’ double standards have been shown. Sigh.
unlike your generalizing, as usual
double sigh
this is probably the work of a skript kiddie brainwashed by the MAFIAA
Just goes to show… idiots shouldn’t be admins.
Even with a salted password, since the whole site was available the salt could easily be discovered and a brute-force library be created from a dictionary+salt. Weak passwords would still need to be changed.
Even the most careful of admins using contained virtual computers and the heaviest of security could still possibly be compromised by someone persistent enough.
Passwords should really be randomly generated with a combination of upper and lower case letters and numbers and symbols. Admins should also change their random passwords every few weeks at least. and All user passwords should be hashed and even the admin shouldn’t be able to see them. those 50k ppl better get ready for the spam wave that’s gonna hit ur inbox soon. lol
@16
pirating personal details is slightly different to pirating information that is readily broadcast over radio and television but is for some reason regulated when it is migrated to a digital form
ps: who would get a kick out of trolling here? i can picture self-righteous old people in suits chuckling to themselves after working a 10 hour shift and trying to forget the prospect of heading home to an ugly wife and irritable kids
@12: Not if the MD5 hashes were salted. They would be very difficult to crack, if not impossible. They obviously weren’t. This was an accident waiting to happen.
@29/30
Ye ofc, though that would only complicate the whole theory on password cracking even more, when ur explaining it to those who dont know nothing about this… :)
“the actual database with around 50,000 usernames”
the actual number of the users are at least 260000 not 50000…
where is the torrent?
I found it….
http://www.alivetorrents.com/torrent/2800125/tnt-village-database-and-private-topics
….i’m downloading it right now.
Btw, that is a shame for us italians… I meant, why are admins keep using weak passwords!? that’s something more than “stupid”…
hey thanks a lot francy!
“THEY DID NOT STEAL ANYTHING; THEY ONLY MADE A COPY!!!
come on guys, why make a difference between stolen movies and stolen personal details. Don’t blame people for thinking it’s OK to steal the latter when the entire world also thinks it’s OK to steal movies…”
I agree. As a pirate/file-sharer myself, I recognize that this act isn’t stealing. It is wrong, though.
Darwin sez, if TNT Village survives, its security will be improved. Hence, thankz, Hackerz!
It’s Italy – |_|p <- care cup is empty foo.
Yer could use a info_hash as a good strong password if you pick a nice popular torrent to refer back to for when yer forget. :)
the average torrent site is hackable and it is not always the source code’s fault. 90% or more of the owners and staff out the use the same password on other sites on the internet and all it takes is for an owner to use the same password and then somebody go to a site which stores md5 hashes since quite a few torrent source codes out there use md5 for the password.
Who cares? Who actually uses their real email address on these sites anyway? Nothing to gain by getting this data. MPAA can hire as many hackers as they like.
i read that all…
there are a lot of information… about what happened in the past behind TNT Village.
Also the future of that website doesn’t looks bright.
They’ve a lot of financial straits…
A couple of admins lost their mental-health on there…
One guy called “PinoLallo” lost his customers due to his involvement with TNT Village. He lost at least 3000€ and customers after his account on one Domain registrar has been closed …..killing all of his customers domains too…
Another man, Dilling, the owner of TNT Village, lost his job because of his bad attitude caused by the stress and lack of sleep to manage TNTVillage.
… a lot of bad news in that leak…
Ouch busted, glad I never used that site. If I was one of the users I wouldn’t be as much worried about anti-p2p companies getting the info as I would be of spam. That database will screw a lot of people in that sense.
LMAO, i got 804 accounts using “123456″ as the pass in there…
ooooh, now i see what numbers on the end were, wow…
This should be an example for members of torrent sites (and any other sites) to realize that they shouldn’t use the same passwords for different things – or at the least, things of different value.
And never. ever. EVER. use your e-mail password for anything else.
If they have your inbox – they have all the passwords you used that inbox to sign up with.
As for the admin – the only reason you would store passwords in plaintext is so you can read them yourself. Seriously – all admins know to hash passwords. The ones that don’t cannot be trusted.
As for the ‘it’s not sharing it’s copying – look at the pirates whining about stealing when it’their stuff’ the difference here is obvious:
I do not sell my personal details to the public.
So although i wouldn’t concider this ‘a lost sale’ and thus a criminal offence, i would concider it identity fraud, and thus, a *serious* criminal offence.
It’s not the same at all…
Oh guess who is doing this!
The corporation of gansters and parasites those poissed for eradication soon!
I’m italian.
TntVillage = shit.
And italy = shit.
They are Italians….. only n00bs
” They are Italians….. only n00bs”
LAWL
Clearly these guys have no idea about Data Protection. Even if someone hacked my sites and stole my database, my users wouldn’t have to change their password, because they are salted and encyrypted. And it’s easy to do such things too. Knobbers.
That teaches those Italian noobs right, i’ll be surprised if any members stay at TNT *g* *g*
YAY!! Nicely done, hacker dude :)
haha.. I just decrypted an MD5 password of some user and could login into his TNT account and his e-Mail acc also ! .. so it works :D
Why you don’t make your business?
Think if it happens to you…:(
Damn, there are hundreds topolino (mickey mouse) paperino (donald duck) wlafiga maria berlusconi and similar passords. No salt, apparently. Damn!
@67:
you’re more than a noob. a real good perspon wouldn’thave done such miserable thing.
and, allow me to say this, but tnt is wonderful
@45
It looks like the mysql server ran out of memory just after it went over 50944 accounts.
The last line of the sql dump file reads:
Fatal error: Allowed memory size of 56623104 bytes exhausted (tried to allocate 53739521 bytes) in /data/http/server2_site/tntforum/sources/Admin/ad_mysql.php on line 342
http://blog.tntvillage.scambioetico.org/?p=2632&cpage=1#comment-3419
55 Jul 30, 2009 at 00:36 by Francy
i read that all…
there are a lot of information… about what happened in the past behind TNT Village.
Also the future of that website doesn’t looks bright.
They’ve a lot of financial straits…
A couple of admins lost their mental-health on there…
One guy called “PinoLallo” lost his customers due to his involvement with TNT Village. He lost at least 3000€ and customers after his account on one Domain registrar has been closed …..killing all of his customers domains too…
Another man, Dilling, the owner of TNT Village, lost his job because of his bad attitude caused by the stress and lack of sleep to manage TNTVillage.
… a lot of bad news in that leak 55 Jul 30, 2009 at 00:36 by Francy
i read that all…
there are a lot of information… about what happened in the past behind TNT Village.
Also the future of that website doesn’t looks bright.
They’ve a lot of financial straits…
A couple of admins lost their mental-health on there…
One guy called “PinoLallo” lost his customers due to his involvement with TNT Village. He lost at least 3000€ and customers after his account on one Domain registrar has been closed …..killing all of his customers domains too…
Another man, Dilling, the owner of TNT Village, lost his job because of his bad attitude caused by the stress and lack of sleep to manage TNTVillage.
… a lot of bad news in that leak
This is not the truth. The man called Pinolallo put TNTvillage on the same dnsdomain of his customers site. He lost his customers bacause of his stupidity, non of TNT…
He had also stolen 1200euro from the donation of TNT.
This is the truth.
Cosa? Pinolallo ci ha rubato dei soldi?!? Non ci credo!! Spero che qualcuno abbia delle spiegazioni.
Che tristezza comunque…
5 references to this post
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.