Login database at your store hacked?

Status
Not open for further replies.
pts.fa said:
In order to "crack" your password the malicious actor would have to use a dictionary attack which runs the hashing transformation against words in a dictionary and compares the output hash value to the hashed value of your password. This can take a very long time. The more complex your password is, the harder it is to run a dictionary attack.
Click to expand...

Agreed, but those hashes appear unsalted which means there's a decent chance someone's already done that work if your password isn't great.

randyhub said:
Was the order history info leaked?
Click to expand...

Not in bulk, but if your password isn't complex or has been reused, it would be trivial for someone to log in as you and download your order history. That is why it is insanity Canada Ammo hasn't forced a password reset.

If you haven't reused your password, and ideally used a unique randomly generated one for Canada Ammo, you should be okay.
 
Last edited:
Botts said:
Agreed, but those hashes appear unsalted which means there's a decent chance someone's already done that work if your password isn't great.
Click to expand...


Hi. Yeah, I agree in part. I think though that they actually did start salting the passwords when they switched to MD5. There are duplicates of SHA1 and Blowfish passwords, but not for any of the MD5 passwords. Knowing what I know about people and passwords, that's very unlikely in a set of 77000-ish passwords (the set of MD5 passwords) to not have a duplicate if they were unsalted. I think that they might be using the id, username, or email address as a salt. Not sure.

There's a lot of stagnant information in that data and CanadaAmmo should go through and sanitize it.
 
pts.fa said:
Hi. Yeah, I agree in part. I think though that they actually did start salting the passwords when they switched to MD5. There are duplicates of SHA1 and Blowfish passwords, but not for any of the MD5 passwords. Knowing what I know about people and passwords, that's very unlikely in a set of 77000-ish passwords (the set of MD5 passwords) to not have a duplicate if they were unsalted. I think that they might be using the id, username, or email address as a salt. Not sure.
Click to expand...

One thing I would try if I was so inclined is looking through other leaked datasets for those emails. If you found one that has password not encrypted or more easily reversible you could then start trying the fields you mentioned as salts, might get lucky if you found somebody reusing a password. Once you've got the salt then go after the rest of the users with a rainbow table. It's an awful lot of effort for something like this but I think the lesson is clear. This particular leak is not a major concern by itself but could be combined with other compromised information to bypass those basic protections.

Password reuse is an extremely common and very dangerous thing.
 
VadimCr said:
Never had any data stolen, at least I think so. Although I have a lot of large dataset, encrypted passwords and I am always saving all the data on an external HDD, I do not keep these data on my PC. I use lead enrichment tool to gather the data, process them, gladly there are lot of tools for automation processing so it's not taking me that much time. So, keep the data out of your PC, encrypt them to keep them safe
Click to expand...

Well, ok, How should I encrypt them? What's the process?
 
It looks like Canada Ammo reset passwords in the last couple days. The database might still contain all the initial information though.

They've not updated their vulnerable RHEL or PHP installations. So here's hoping they fixed the vulnerability that allowed the injection attack to succeed.

pts.fa said:
I think though that they actually did start salting the passwords when they switched to MD5. There are duplicates of SHA1 and Blowfish passwords, but not for any of the MD5 passwords. Knowing what I know about people and passwords, that's very unlikely in a set of 77000-ish passwords (the set of MD5 passwords) to not have a duplicate if they were unsalted. I think that they might be using the id, username, or email address as a salt. Not sure.

There's a lot of stagnant information in that data and CanadaAmmo should go through and sanitize it.
Click to expand...

Looking back you're absolutely right. Those MD5 hashes are salted, the SHA1/Blowfish isn't. Most hash lookup tools happily process all three though, so there's a good likelihood weak passwords get converted to clear text from the SHA1/Blowfish batch. I didn't notice the breached data added to any of the white hat tools I use yet, but I'm sure its coming.

CanadaAmmo should definitely sanitize it based on age -- I haven't shopped there since 2014 and my account was still active.
 
TL:DR - Stop using Chrome, use Braver instead, and change all password on all accounts that use the same one as your Canadaammo password.

Is anyone even sure it was Canadaammo got hacked? Because, if it's like what you get from Google Chrome, it means that the password you use for that account got hacked and was found in a darkweb account sales site. It doesn't mean it's on Canadaammo's end at all. The big culprit will be Google Chrome, itself, which has had two password data breaches in the past five or so years. So if you use Chrome (especially in 2019, when a massive one stole nearly everybody's passwords), that would likely be your culprit. And not only do you need to change your password on Canadaammo, but each and every account you used that password (or similar ones) online.

Asking a site to delete old accounts is stupid, and shouldn't happen. Because as soon as they did, people would be upset, because suddenly they would need to go back and look at old orders. It's damned if you do, damned if you don't. And most sites go with the "don't delete" as the best alternative. Also, if you have bought anything for several years, any card you might have saved on file, is likely expired, so those people don't need to complain.
 
Larzzral said:
Is anyone even sure it was Canadaammo got hacked? Because, if it's like what you get from Google Chrome, it means that the password you use for that account got hacked and was found in a darkweb account sales site. It doesn't mean it's on Canadaammo's end at all. The big culprit will be Google Chrome, itself, which has had two password data breaches in the past five or so years. So if you use Chrome (especially in 2019, when a massive one stole nearly everybody's passwords), that would likely be your culprit. And not only do you need to change your password on Canadaammo, but each and every account you used that password (or similar ones) online.
Click to expand...

The structure of the information released makes it clear there was a database compromise. It's possible that this was recovered from a database backup that wasn't properly secured rather than the live database but given that the security posture of their server and it's software is this bad it seems likely the live site has been compromised. Possibly more than once.
 
I want to know why there hasn't been continued updates from CanadaAmmo about this!

Namely, what's the extent of the breach, and what's the plan!?!?!?
 
chris said:
I want to know why there hasn't been continued updates from CanadaAmmo about this!

Namely, what's the extent of the breach, and what's the plan!?!?!?
Click to expand...

Well as of right now the server hasn't been updated, it's still running a version of CentOS released in July of 2020. Updates that address security concerns in that release are available.

What does that say about how seriously they take this matter?
 
LATEST: IT has purged the data from the site and reset all the passwords.

We will continue to post info here as it become available.

Please contact us at cs@canadaammo.com if you have any questions.
 
Last edited:
Status
Not open for further replies.
Back
Top Bottom