TorrentFreak

The place where breaking news, BitTorrent and copyright collide

Italy’s Most Prominent BitTorrent Site Hacked

TNT Village, Italy’s most prominent torrent site has been compromised by hackers. Intimate details of the site’s operations including 50,000 usernames, passwords and email addresses have been leaked out onto the Internet. The site has taken precautionary measures but concerned users should change their passwords immediately.

One of the problems with running a website or any Internet presence is the constant threat of malicious attacks. Almost everyone will recall the terrible mauling experienced by MediaDefender after their confidential emails leaked onto the Internet, and since then many anti-piracy groups and related companies have felt the wrath of hackers.

But of course, being hacked isn’t the sole preserve of these organizations, it can happen to file-sharing sites too. In November 2008 a hacker tried to gain control of Torrentz.com and at the beginning of June NowTorrents had its own problems.

Today we bring news of another sizable hack, this time affecting Italy’s most prominent BitTorrent site, TNT Village. A hacker targeted the 50,000 member site and made off with the site’s database.

The admin of TNT Village explains: “A son of a bitch was able to discover my password. With it in recent days he has removed the TNT database. I then proceeded to change my password but in the meantime he/they had taken some sensitive data to users, and yesterday they were made public.”

TNT Village Leak

Indeed, a torrent of the stolen data has appeared on various BitTorrent indexes. The data contained within is largely in Italian but a source with an interest in security breaches told TorrentFreak that the archive contains very sensitive information.

The site’s database schema, the actual database with around 50,000 usernames, passwords and emails, a list of site donors and private messages have all been leaked.

The site has taken steps to limit the damage but concerned users should change their passwords immediately, at the very least.

Related Posts

Previous Post | Next Post

  • Why the panic?

    Why should anyone change anything? Do they have something to hide? Isn’t Bittorrent perfectly legal expect for a few lawyers, lobbyists and judges that do not understand that?

  • grrrrrruffff is second

    Of course such databases are much safer in the hands of people that got convicted to 1 year in prison.

  • Yeah

    Why the panic?: of course, obviously seeing as nobody was breaking the law, everyone should be ok with their usernames, passwords, and emails being leaked over the internet.
    You obviously don’t have anything to hide, why don’t you post your email and password too?

  • Ricardo

    @ Why the panic?

    I suppose you don’t have anything to hide, ok? What about sending me your credit card number? :)))

  • HNicolai

    I hacker shouldn’t be able to guess a admins password…

    Why don’t people (and especially admin!) make a good and strong password ?

  • Leo Ghost

    Can we get word on if the database contained proof that certain users uploaded certain torrents? If that’s in there, along with their email address and password, those members are pretty much screwed assuming a media outfit downloads the torrent and uses it against them (though would it count as evidence, as it’s illegal itself?)

    @1 & 3
    They should at least change their passwords so that their other accounts don’t get hacked… assuming they use the same password for everything.

  • d[iO]nysus

    @1

    No, of course no one has anything to hide. That’s why law-abiding people shouldn’t be worried when government-controlled security cameras are placed on every corner… or when National ID cards become a requirement to buy food… or when getting Chipped is a requirement to be a citizen.

    No law-abiding citizen has anything to hide, so why bother with privacy laws at all?

  • BustaLinx

    @1,3

    Fail.

  • yano

    @6

    Hear, hear :)

  • News Reader

    Well, hope those members don’t get caught by the Copyright groups.
    User databases and bank accounts are sensitive data if which falls into the wrong hands can create a disaster.

    @6

    I agree.

  • Cygnus

    illegally obtained data is not viable as a source of evidence in court.

  • jemoer

    A good user-database should be constructed in such a manner that nobody can see the users’ password not even the admin
    If they would have done that their wouldn’t have been a problem so a big FAIL for TNT village

  • donkeyb0n3r

    @ all those who think this isnt a big deal:

    1. Spamming companies wuld love to get a 50k mailing list
    2. Alot, i mean ALOT of people use the same u-name/pass combination for alot, anyone could steal / hack any sensitive info..
    3. How about info in the PM’s send?

    Oh and @11

    U’d talk about encryption, and as far as i know, most passes are easy to crack (using either brute force/dictionary attack), it most of the time depends on how long the pass is…

  • Anonymous

    10 Jul 29, 2009 at 17:02 by Cygnus

    illegally obtained data is not viable as a source of evidence in court.

    It depends on the country LoL

    But from what I hear about Berlusconi it may not matter how the proof was obtained :)

  • Brokep

    THEY DID NOT STEAL ANYTHING; THEY ONLY MADE A COPY!!!

    come on guys, why make a difference between stolen movies and stolen personal details. Don’t blame people for thinking it’s OK to steal the latter when the entire world also thinks it’s OK to steal movies…

  • anon

    whats the name of the torrent

  • whe

    whats the title of the torrent

  • deadmanamerican

    good job unknown hacker…now people are really talking alot of nonsense…read some above posts

  • dweebs

    16 your right but people will complain because they are now the victims and not the record or movie industry people who download are the worlds biggest hypocrites.

    1 a person who puts on a false appearance of virtue or religion
    2 a person who acts in contradiction to his or her stated beliefs or feelings

    in other words its ok to share music movies games or programs but its not ok to share something that belongs to you!!!

  • Jorge

    Fail at the admins for not changing up the default password encryption scheme. I thought all torrent sites knew to change the php files to encrypt/decrypt the passwords with more than one encryption method + salt. The hacker didnt get any php files and all attempts to brute force or crack using rainbow tables would have failed. But nooooooo, some highschool rich kid decides to untar a tracker file and photoshop a few logos and suddenly everyone is in trouble.

    Fail @ the admin, and a big heads up to all you other wannabe admins out there. Use secure passwords, 10 chars or longer, upper and lower case with numbers and symbols if you can remember it. Dont use common words either. My god in this day and age you’d think people would be smarter about this sort of thing.

    Users could have protected themselves the same way by using long and complicated passwords that can’t be cracked.

    Just an example of a collection of epic fail all meeting at a perfect intersection, where a colossal fail is born.

    Sweet baby jesus.

  • Anonymous

    @12
    Of course all passwords are easy to crack in theory. But a salted MD5 hash can take years to crack. At the very least, a simple MD5 hash of the password should be stored instead of plain-text. I don’t know what the hell these guys were thinking.

    Oh and the main reason that this is a major problem is because most people use the same password for their email, social networking profile, bank account, etc.

  • Paolo

    @jemoer
    @Jorge

    and all the others: the password ARE encrypted! Only way to decrypt them is with brute force and hoping that some users chose a weak password. This is the main reason for which password change is strongly recommended, NOT because pwd db was not encrypted.

  • II

    profilazation is the problem…
    the password are the less important issue here, while nickname/email pair are very valuable!

    well, at least for me… I had a 20 char long password… now 21 :P

  • grrrrrruffff

    LOL at the big brave trolls suddenly they’re out in force

    what happened to you bed wetters, when this article was posted

    Copyright Group Prosecuted For Failing to Pay Artists….

    well?

  • frank

    sharing bought music is not the same as publishing stolen secrets.

    don’t tell me that you don’t know that.

    but yeah, everyone is sharing files.

  • Phoenix

    this story is made up !
    something stinks about i, starting from the password thingy !
    and yeah i see in the pic the sql db is 52 mb o!0 any idiot can know that a site with 50.000 members like TF said would have much bigger sql db !

    well maybe it’s the way of TNT Village of saying goodbye !

  • Razor11

    The torrent name is: “TNT VILLAGE DATABASE AND PRIVATE TOPICS”

  • tophing

    @11

    you don’t save an encrypted password in the DB, but an hash…

  • tophing

    sorry, my previous post was for 12 and not 11

  • Anonymous

    52 mb of “plain text” is nothing in comparison to total of tnt users. More of row of those file are: insert into (field, field….. ). In conclusion the very data is very poor.

  • Yeah

    @5: sarcasm detector fail?

  • Yeah

    Sorry, that was @7

  • BioShockerT81

    As usual the pirates’ double standards have been shown. Sigh.

  • mick

    unlike your generalizing, as usual

    double sigh

  • Stevie C

    this is probably the work of a skript kiddie brainwashed by the MAFIAA

  • Anonymous

    Just goes to show… idiots shouldn’t be admins.

  • Anonymous

    Even with a salted password, since the whole site was available the salt could easily be discovered and a brute-force library be created from a dictionary+salt. Weak passwords would still need to be changed.

  • Anonymous

    Even the most careful of admins using contained virtual computers and the heaviest of security could still possibly be compromised by someone persistent enough.

  • headofRIAAmustdie

    Passwords should really be randomly generated with a combination of upper and lower case letters and numbers and symbols. Admins should also change their random passwords every few weeks at least. and All user passwords should be hashed and even the admin shouldn’t be able to see them. those 50k ppl better get ready for the spam wave that’s gonna hit ur inbox soon. lol

  • hot sex gary

    @16

    pirating personal details is slightly different to pirating information that is readily broadcast over radio and television but is for some reason regulated when it is migrated to a digital form

    ps: who would get a kick out of trolling here? i can picture self-righteous old people in suits chuckling to themselves after working a 10 hour shift and trying to forget the prospect of heading home to an ugly wife and irritable kids

  • Sendaii

    @12: Not if the MD5 hashes were salted. They would be very difficult to crack, if not impossible. They obviously weren’t. This was an accident waiting to happen.

  • donkeyb0n3r

    @29/30

    Ye ofc, though that would only complicate the whole theory on password cracking even more, when ur explaining it to those who dont know nothing about this… :)

  • vek

    “the actual database with around 50,000 usernames”

    the actual number of the users are at least 260000 not 50000…

  • Anonymous

    where is the torrent?

  • Francy

    I found it….

    http://www.alivetorrents.com/torrent/2800125/tnt-village-database-and-private-topics

    ….i’m downloading it right now.
    Btw, that is a shame for us italians… I meant, why are admins keep using weak passwords!? that’s something more than “stupid”…

  • Anonymous

    hey thanks a lot francy!

  • Anonymous

    “THEY DID NOT STEAL ANYTHING; THEY ONLY MADE A COPY!!!

    come on guys, why make a difference between stolen movies and stolen personal details. Don’t blame people for thinking it’s OK to steal the latter when the entire world also thinks it’s OK to steal movies…”

    I agree. As a pirate/file-sharer myself, I recognize that this act isn’t stealing. It is wrong, though.

  • UNF

    Darwin sez, if TNT Village survives, its security will be improved. Hence, thankz, Hackerz!

  • mr.T

    It’s Italy – |_|p <- care cup is empty foo.

  • oh noooooez

    Yer could use a info_hash as a good strong password if you pick a nice popular torrent to refer back to for when yer forget. :)

  • Anonymous

    the average torrent site is hackable and it is not always the source code’s fault. 90% or more of the owners and staff out the use the same password on other sites on the internet and all it takes is for an owner to use the same password and then somebody go to a site which stores md5 hashes since quite a few torrent source codes out there use md5 for the password.

  • Peter

    Who cares? Who actually uses their real email address on these sites anyway? Nothing to gain by getting this data. MPAA can hire as many hackers as they like.

  • Francy

    i read that all…

    there are a lot of information… about what happened in the past behind TNT Village.
    Also the future of that website doesn’t looks bright.

    They’ve a lot of financial straits…

    A couple of admins lost their mental-health on there…

    One guy called “PinoLallo” lost his customers due to his involvement with TNT Village. He lost at least 3000€ and customers after his account on one Domain registrar has been closed …..killing all of his customers domains too…

    Another man, Dilling, the owner of TNT Village, lost his job because of his bad attitude caused by the stress and lack of sleep to manage TNTVillage.

    … a lot of bad news in that leak…

  • Mauri [FR]

    Ouch busted, glad I never used that site. If I was one of the users I wouldn’t be as much worried about anti-p2p companies getting the info as I would be of spam. That database will screw a lot of people in that sense.

  • bastardo

    LMAO, i got 804 accounts using “123456″ as the pass in there…

  • bastardo

    ooooh, now i see what numbers on the end were, wow…

  • John

    This should be an example for members of torrent sites (and any other sites) to realize that they shouldn’t use the same passwords for different things – or at the least, things of different value.

    And never. ever. EVER. use your e-mail password for anything else.

    If they have your inbox – they have all the passwords you used that inbox to sign up with.

    As for the admin – the only reason you would store passwords in plaintext is so you can read them yourself. Seriously – all admins know to hash passwords. The ones that don’t cannot be trusted.

    As for the ‘it’s not sharing it’s copying – look at the pirates whining about stealing when it’their stuff’ the difference here is obvious:

    I do not sell my personal details to the public.

    So although i wouldn’t concider this ‘a lost sale’ and thus a criminal offence, i would concider it identity fraud, and thus, a *serious* criminal offence.

    It’s not the same at all…

  • Pingback: Italy’s Most Prominent BitTorrent Site Hacked - Entertane.com – Torrent News

  • Anonymous

    Oh guess who is doing this!

    The corporation of gansters and parasites those poissed for eradication soon!

  • Anonymous

    I’m italian.

    TntVillage = shit.
    And italy = shit.

  • LOL

    They are Italians….. only n00bs

  • LAWL

    ” They are Italians….. only n00bs”

    LAWL

  • TerribleTony

    Clearly these guys have no idea about Data Protection. Even if someone hacked my sites and stole my database, my users wouldn’t have to change their password, because they are salted and encyrypted. And it’s easy to do such things too. Knobbers.

  • Yeah

    That teaches those Italian noobs right, i’ll be surprised if any members stay at TNT *g* *g*

  • anon666

    YAY!! Nicely done, hacker dude :)

  • Wacko Jacko

    haha.. I just decrypted an MD5 password of some user and could login into his TNT account and his e-Mail acc also ! .. so it works :D

  • T_B

    Why you don’t make your business?

    Think if it happens to you…:(

  • N

    Damn, there are hundreds topolino (mickey mouse) paperino (donald duck) wlafiga maria berlusconi and similar passords. No salt, apparently. Damn!

  • Italian

    @67:

    you’re more than a noob. a real good perspon wouldn’thave done such miserable thing.

    and, allow me to say this, but tnt is wonderful

  • hmmm

    @45
    It looks like the mysql server ran out of memory just after it went over 50944 accounts.

    The last line of the sql dump file reads:
    Fatal error: Allowed memory size of 56623104 bytes exhausted (tried to allocate 53739521 bytes) in /data/http/server2_site/tntforum/sources/Admin/ad_mysql.php on line 342

  • Pingback: El tracker más grande de Italia fue hackeado | ALT1040 (Internet)

  • Pingback: Le Tracker BitTorrent italien TNT Village piraté ! «

  • Marco

  • Pingback: Moova! News on the Move » El tracker más grande de Italia fue hackeado

  • Toni

    55 Jul 30, 2009 at 00:36 by Francy

    i read that all…

    there are a lot of information… about what happened in the past behind TNT Village.
    Also the future of that website doesn’t looks bright.

    They’ve a lot of financial straits…

    A couple of admins lost their mental-health on there…

    One guy called “PinoLallo” lost his customers due to his involvement with TNT Village. He lost at least 3000€ and customers after his account on one Domain registrar has been closed …..killing all of his customers domains too…

    Another man, Dilling, the owner of TNT Village, lost his job because of his bad attitude caused by the stress and lack of sleep to manage TNTVillage.

    … a lot of bad news in that leak 55 Jul 30, 2009 at 00:36 by Francy

    i read that all…

    there are a lot of information… about what happened in the past behind TNT Village.
    Also the future of that website doesn’t looks bright.

    They’ve a lot of financial straits…

    A couple of admins lost their mental-health on there…

    One guy called “PinoLallo” lost his customers due to his involvement with TNT Village. He lost at least 3000€ and customers after his account on one Domain registrar has been closed …..killing all of his customers domains too…

    Another man, Dilling, the owner of TNT Village, lost his job because of his bad attitude caused by the stress and lack of sleep to manage TNTVillage.

    … a lot of bad news in that leak

    This is not the truth. The man called Pinolallo put TNTvillage on the same dnsdomain of his customers site. He lost his customers bacause of his stupidity, non of TNT…
    He had also stolen 1200euro from the donation of TNT.
    This is the truth.

  • Mandels

    Cosa? Pinolallo ci ha rubato dei soldi?!? Non ci credo!! Spero che qualcuno abbia delle spiegazioni.

    Che tristezza comunque…

  • Pingback: TNT Village, hackeado |

  • BTGuard - BitTorrent Anonymously

NewsBits

Even more news...

  • The Pirate Bay Isn’t Down Completely, Just Having a Few Issues

    Twitter and Facebook, not to mention the TorrentFreak inbox, are currently alive with complaints that The...

  • Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

    Freedom of speech is a highly valued commodity, but should people be allowed to say whatever...

  • Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

    An anti-piracy system present in all official Blu-ray players since 2012 has received a fresh update...

  • Foxtel Breeds Pirates by Locking Up Game of Thrones

    One of the main reasons why people turn to piracy is the lack of legal alternatives....

  • UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

    Last year an Internet user known as El Nomeo leaked version 3.70 of Sony’s Playstation3 SDK...

MostDiscussed

Below are TorrentFreak's most discussed articles of the past month. Join the discussion if you like.

CopyQuote

Left Quote

“The Pirate Bay has been one of the most important movements in Sweden for freedom of speech, working against corruption and censorship.

Peter Sunde Left Quote

PopularArticles

A selection of some TorrentFreak's classics dug up from our archives.