The online racing simulator
Possible leak
(14 posts, started )
Possible leak
This evening a certain image surfaced on LFS discord server. It was an image of text file containing the following syntax
https://www.lfs.net/login:username:password

and
https://www.lfs.net/loginreset/uniqueHash

. It is unknown what the author wanted to achieve with that however I can recommend the following to the players. Have the habit of changing your passwords every 6 months or at the very least every 2 years.

There is no need for panic, just ensure that you still maintain control over your account and change the password.
#2 - gu3st
Quote from mcmustang :This evening a certain image surfaced on LFS discord server. It was an image of text file containing the following syntax
https://www.lfs.net/login:username:password

and
https://www.lfs.net/loginreset/uniqueHash

. It is unknown what the author wanted to achieve with that however I can recommend the following to the players. Have the habit of changing your passwords every 6 months or at the very least every 2 years.

There is no need for panic, just ensure that you still maintain control over your account and change the password.

Neither of those do anything...
Quote from gu3st :Neither of those do anything...

Ok, posting this could get me into really hot waters, but for the sake of security it must be verified.
One thing for sure, those username and password combinations are legit.
@TechnoGX please change your web and game password, they have been leaked.
(ps nothing was done to that account, just merely testing the legitimacy of the leak)

Here is the information I could gather so far.
The leak contains accounts as recently created as 2024, so that leaves the pereulok leak out of the question. The abovementioned account doesnt exist on the current most popular cracked service.
The leak contains also mixed bag of licensed accounts.

This is the list of the legit accounts that were visible in the image, if you are on the following list, please do change your passwords. Devs also mail these accounts to change their passwords.
scania113
GonzaDH
sastur
arunmavi
dimitarbarlev
CloudsP7
VittinGames
molesfilho
Stano842
Omer
DINU28
Anjinho
afoso555
Chaos121
crescatorul1
HerGamerTeam
ramazan5454
cemil46
fabiocanelasbw(screenshot cutoff)
Matas508
djdouglaslopes
Art2020
yoel03
DaanielJuunio(screenshot cutoff)
crazygamer
TechnoGX
walid14
jamaica3d
JusstDaniel
Moiedd_
orionrs
ALI_DK
[EE]RAFFA94

The line count on the file was showing at least 485 lines of text, realistically speaking small number of those accounts didnt seem like legit accounts and some lines were populated with password reset hash so the number of leaked accounts could be way less than 400.

TL/DR: some accounts were leaked, change your password.
Attached images
Screenshot_2024-10-10-00-38-36-030.jpg
Perhaps a phishing website is currently grabbing login details, or another pirated community (can't remember the name) is publishing its login log file....

Either that or someone's running an ad on LFS page or something malware related that's keylogging the login inputs. However I doubt it is this since LFS website doesn't run ads...?
Thank you for informing the community about this 🙏
Surprised gabor isn't in the list
Quote from MousemanLV :Surprised gabor isn't in the list

usernames on the list is probably persons who gave out their login details hoping for free s3
Quote from Viperakecske :usernames on the list is probably persons who gave out their login details...

7 of them what about the rest 30 ones
Attached images
Screenshot_191.png
#9 - BeNoM
Any official word from the devs?
Quote from BeNoM :Any official word from the devs?

"Thank you for your email. We have not had any data leaks from our site so don't know how this information was obtained but if the passwords were easily guessable, like the one you tested, perhaps that was how.

We will change the passwords on the accounts in the list."
Looks like a XSS vulnerability which steals cookies. Long time ago, pretty much all forum engines, e.g. phpbb, vbulletin, had it. All attacker had to do was insert certain code into a profile picture, message body, or signature, etc. Then, when the page was loaded, cookie or session got stolen and sent to a script (sniffer) which recorded info to a txt file. Didn't even need to decrypt the hash, just replace certain values (normally, user ID and password hash, later with salt) in your cookies, and you are admin or any other user who simply opened loaded the message or picture the code was inserted into. Once attacker got admin, all they had to do was go to admin panel, download forum database, and have access to everything.

I guess, someone found such a vulnerability within this forum or other website page.
-
(BeNoM) DELETED by BeNoM
Quote from BeNoM :Doubtful, there's a leak or hack that has occurred. This isn't someone randomly...

What else could they have done? There's no reason to believe there's an actual hack or leak. It's most likely something people filled in their self, and/or their password is really simple. The LFS devs have checked it and haven't seen any strange activity on their servers.
Quote from RacingSOUL :...and you are admin or any other user who simply opened loaded the message or picture the code was inserted into. Once attacker got admin, all they had to do was go to admin panel, download forum database, and have access to everything.

I guess, someone found such a vulnerability within this forum or other website page.

I looked at some random profiles and none had any forum postings.
If there had been such an attack then it should have hit more active forum users, simply because they visit the forum more often.
Of course it is possible that those accounts were just very active readers but I doubt it.

Most likely people used pirated servers or some software/website and gave away their passwords willingly. (but perhaps unknowingly)
That has happend before:
https://www.lfs.net/forum/thread/107278
https://www.lfs.net/forum/thread/107205
Quote from Gutholz :I looked at some random profiles and none had any forum postings...

People are also notoriously bad for sharing credentials across sites. Just takes someone bored enough to wire up a script to see what matches against here.

Possible leak
(14 posts, started )
FGED GREDG RDFGDR GSFDG