WatchMojo hacked?

Password1

Need numbers too

Is this some kind of watch dogs 2 ad?

this.

So how do these people "hack" accounts? Is it really just guessing a simple password? Do these people just sit around all day guessing passwords, or do they use scripts that do it for them?

>not deleting all the videos
>not deleting the whole account
>not uploading gore or anything against YT's rules
0/10

I too am puzzled by this.
It's likely someone in watchmojo internally did it though.

The hacker didn't do anything cool though, just changed the names of some videos.

No retard

Kys

>watchmojo
who?

Why the fuck is their password so easy to hack? They should have a 200+ password length.

Why because they're somehow more official and important than your average grocery haul youtuber? They're a youtube channel. They don't make enough money for professionalism to matter.

Never said noone else should have a strong password, but with that much money on the line you should definitely take extra precautions.

>They're a youtube channel. They don't make enough money for professionalism to matter.
a channel with 12 million subs probably makes quite a lot of money.

5 videos daily

Kekd

Best thing to be uploaded to WatchMojo in ever.

scripts yes
if you get a database dump(through SQL injection for example), some services store in plaintext, some hash the passwords but cracking hashes is still very, fast, several billion guesses per second on GPUs i believe. So you crack a lot of passwords in a dump and then add those username+pw combinations to your database of passwords to try. Since password reuse is rampant this works far too well

>Statue of Liberty .... HACKED
Those bastards!

Good. I'm glad someone is trying to get rid of that cancerous channel.

>scripts yes
They lock the account after a few unsuccessful attempts
>SQL Injection
You are a retard if you think Youtube is vulnerable to SQLi.

>WatchMojo
Literally never heard of it. Sounds like some even lamer ripoff of College Humor though.

That's a Marilyn Manson album

Should've changed all the video uploads to Rickrolls.

LMAO XDDDDDDD THAT'D BE FUN :DD

It's YouTube, not some school project in php.

>Billions worth website
>From the biggest web conglomerate of the world
>SQL injection

Stop pretending you know anything about this. You're in a board full of programmers.

>So you crack a lot of passwords in a dump and then add those username+pw combinations to your database of passwords to try. Since password reuse is rampant this works far too well
>So you crack a lot of passwords in a dump and then add those username+pw combinations to your database of passwords to try. Since password reuse is rampant this works far too well
>password reuse
it's enough if a site with the same password is vulnerable
thought that was clear

>You're in a board full of programmers.

>if you get a database dump(through SQL injection for example)
>(through SQL injection for example)
>for example

A board of programmers that can't read. Fascinating.

>You're in a board full of programmers.
no, and he's right, it's a common attack vector to crack lower tier websites or use older dumps (e.g. linkedin, amazon, adobe, ...) to find passwords for certain accounts on other sites.
for watchmojo it'd just require a background check on the identities of the people that originally started it and then look for emails+passwords attached to those identities in other places.

That has been in the OWASP top 10 consistently every year since they were founded. People will never stop making simple mistakes. We're only human.

being fucking stupid enough to use mysql_ in php is not a regular human mistake

it's almost as if this was just a ruse to get attention

Do I have to really break this down for you guys?

The INDIVIDUAL who had the login to that account on YouTube was hacked. Not THROUGH YouTube, but from another source.

That could be through another website this person visited which had vulnerabilities, it could've been a friend, it could've been a trojan, they could've been phished accidentally. Either way, they weren't bruteforced on YouTube.

Once they had the password, they likely also tried it on the YouTube account (and probably several other media mediums) and it worked.

It doesn't take a genius or even a script. Just good ole fashioned laziness and stupidity.

If it was a script, still just as easy with a rainbow attack table against a different site where they know an account with the same email exists that doesn't have bruteforcing protection.

If it was only uncommonly stupid people doing it it would be an uncommon problem not one of the most common ones year after year.

Just not using mysql_* functions won't make you safe from SQLi.

yeah if you're a fucking dumbfuck and insert variables into query directly

Yes. You can do that with or without mysql_* functions. Congrats. Look at and think about how stupid you are.

but I'm . My point was that you won't get SQLi if you use non-mysql_ library propertly.

You are giving these people way too much credit, $100 the owner of the watchmojo account recycled passwords and their information was in one of the recent major DB dumps.

You also won't get SQLi if you use mysql_* functions properly.

>hack WatchMojo
>don't make these types of memes real

You're just describing why people should know better. Most people already do know better but probably don't get it right 100% of the time either. It's like you want us to explain the concept of a mistake. Of not being perfect.

Clearly it happens a lot. That's the whole point of the list.

I am not saying mistakes don't happen. On the contrary, I'm saying they do, and using one API for talking to the DB or the other won't change this fact.

Was the hacker known as Sup Forums responsible for this?

Yes, but the point is that it's much easier to make a mistake using mysql_ than for example PDO. If in both cases you don't insert variable into query directly and you use mysql_, it's easy to forget to escape string, if you use PDO, there's no possibility to leave a SQLi vuln in your code.

>if you use PDO, there's no possibility to leave a SQLi vuln in your code.
Of course there is. You send the query string into PDO. You're free to put as many values from variables into that string as you want, ignoring placeholders.

>If in both cases you don't insert variable into query directly

>people who put ".com" in their fucking titles

this shit triggers me so fucking much

>if you don't make a mistake, it's not possible to make a mistake
This is your argument in favor of PDO.

this
fucking amateurs

No it's not. My argument is that it's easier to forget to escape string than to take 2 kilos of cocaine and for some unholy reason forcefully insert variable in query, don't do any binds and execute query.

If it's equally easy to you to do both, you should see a doctor

>don't do any binds
Show down there friendo. You do bind it. And you would execute it in any case. The only thing you gotta do to fuck up is add a variable value to query text without properly escaping it - same as with mysql_* functions.

how does your mind work if you bind some of your variables and fucking insert some of them directly into query? If you use mysql_, you need to insert variables into query all the time, escaping them before, on PDO you never do that.

...

>on PDO you never do that.
You can. If that's the best argument you can come up with with then my response is
>on mysql_* you never not properly escape variables

>how does your mind work if you bind some of your variables and fucking insert some of them directly into query
It just works. It's trivial. I'm not even sure what you're having trouble comprehending here.

You clearly overestimate the skill of the average programmer. I see le-ebin-CS-grad-meme-style code basically daily (undisclosed Fortune 500 company). And here I'm talking about just regular code. Dont get started on security (which is what i do).

True, it's been a while since i've seen SQLi myself but a colleague here saw code not too long ago where they concated user input directly to prepared statements.

So, yeah...

>on mysql_* you never not properly escape variables
Consider this:
Using mysql_ is like driving a manual, you can miss a gear when switching them all the time, but rarely.
Using PDO is like driving automatic, you leave it on D and the system does everything automatically (escaping variables propertly). According to your brain, when you drive a manual, you sometimes switch D to manual gear 1, 2 or 3 for some reason mid-driving. What is going on in your head that you would do that?

Analogies do not work as arguments.

No, I'm just trying to explain my previous arguments, but I might be "overestimating the skill of the average programmer" as said. I can't imagine a person just normally insert a variable inside a query when using a library with prepared statements.

>not uploading this
youtube.com/watch?v=aFfA04JyPEY

I can't imagine a person not quoting his input properly with mysql_*.

see
Really if you have no concept of why you are using PDO and just use prepared statements wrongly it's not that difficult to fuckup as I just indicated with my anecdote. I know, anecdotal evidence, but saying it never happens is just not true (this you can prove with an anecdote as I just did).

/thread

If you can't, then look at the dumps made using SQLi vuln. If you look very closely, you should see that majority of dumped sites are using mysql_ instead of PDO.

What are the rest using?

Library that supports prepared statements used by people like you who take large amounts of drugs and tend to fuck up in most simple situations

>Library that supports prepared statements
Well, there we go. You can make same errors in both.

>by people like you who take large amounts of drugs and tend to fuck up in most simple situations
Why are you attacking me personally? Are you that upset that your argument does not stand?

>Well, there we go. You can make same errors in both.
But not as frequently. If you will link to my statement that it's impossible to make SQLi in library that supports prepared statements, you personally proved that such people exist that somehow achieve SQLi in PDO.

>Why are you attacking me personally? Are you that upset that your argument does not stand?
I'm upset because someone created PDO to get rid of SQLis completely and people still somehow make them

The fact that those errors exist shows that it is in fact possible to make those errors with PDO - which makes it no better than mysql_*.

And don't lie to yourself - the perceived abundance of mysql_* code with SQLi is not an evidence that it's easier to make mistakes in. It's most likely an evidence that that API is more popular. Of course, to claim either with certainty you need to research the issue properly.

>I'm upset because someone created PDO to get rid of SQLis completely and people still somehow make them
I seriously doubt PDO was created solely for that reason.

>rainbow attack table against a different site where they know an account with the same email exists that doesn't have bruteforcing protection.
rainbow tables work against (unsalted) hashes, and to crack those you need to obtain them from the webserver, SQLi is one way to get them, getting control of the webserver via other means is another. then you crack the hashes on your own computer. "bruteforcing protection" I'm guessing you're reffering to captchas and "please wait 5 minutes before trying to log in again" type of stuff, those are a different types of attacks.

Thanks user, I've been looking for this picture for a while now.

dadada

Still one of my favorite skits