Rats leave the sinking ship as hackers’ forum gets hacked

Prepare yourself for the warm glow of schadenfreude: OGUsers, a forum devoted to trading stolen Instagram, Twitter and other accounts, has apparently been hacked, its forum hard drives wiped, and its user database stolen and published on a rival hacking community site for any and all comers to download for free.

As Motherboard reported last year, OGUsers – called OGU by its members – is a forum popular among hackers who specialize in hijacking people’s accounts, particularly through SIM swapping.

Trading in desirable usernames

Launched in April 2017, the forum is a market for buying and selling “OG” usernames. That’s short for “original gangster” and refers to usernames that are considered desirable, whether it’s because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few.

According to Motherboard, OGUsers traded in hijacked social media accounts, as well as in PlayStation Network, Steam, Domino’s Pizza, and other online accounts.

The administrator of OGUsers, known as “Ace”, announced the attack in a post on the forum on 12 May 2019. According to security journalist Brian Krebs, Ace told forum members that an outage had been caused by hard drive failure that erased months’ worth of private forum posts and prestige points. Ace said they’ve restored a backup from January 2019.

But we’ve since come to find out, that 12 May outage coincided with the theft of the forum’s user database and the erasure of its hard drives.

Four days after Ace’s post, the administrator of a rival hacking community, RaidForums, announced that they’d uploaded OGUsers’ database. Come and get it, RaidForums administrator Omnipotent said, raising an eyebrow at OGUsers’ use of the vulnerability-vexxed MD5 hashing function:

On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.

Krebs got hold of the purloined list of OGUsers’ members. He said it appears to contain the usernames, email addresses, hashed passwords, private messages and IP addresses at the time of registration for around 113,000 users – although, he said, some users are likely using multiple aliases. Motherboard also checked out the database and found that it contained users’ emails and source code.

Motherboard verified the data by searching for two accounts registered by its reporters.

Music from the tiniest violin

OGUsers’ members are, understandably, and to the delight of the universe’s karmic balance, freaked. Several threads on OGUsers have been filled with users worrying that they’ll be exposed due to the breach, while some claim that they’ve already received phishing emails, Krebs reports.

Some are furious at Ace, claiming he disabled users’ ability to remove their accounts. Krebs quoted one user who had this to say on the Discord chat:

Ace be like:

– not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave

Motherboard talked to one OGUsers member who said that the rats are leaving the sinking ship, worried about 1) getting hacked themselves and 2) a visit from the law:

It’s like a nuke dropped on the site. Some people only used OGU pms as their only contact, so if you were to look into it or an FBI agent there is a lot to find.

No, no, please don’t go, little ratties, Ace said in a post. OGUsers getting breached is just like any other site getting breached, they wrote, neglecting the part about how most of the users are presumably cybercrooks:

OGUsers has been online close to 3 years now and this the first time any breach has occurred. I do understand everyone’s frustration and I am deeply sorry this has all happened recently. You must realize other sites such as Twitter, Facebook, Dropbox, Forums you have used in the past, and many more have been breached at least once. People are targeting the site 365 days a year. Again, I am deeply sorry this occurred and I will do my best to make sure it never happens again.

… yes, it’s exactly like Twitter or Facebook or Dropbox getting breached, with the teensy weensy exception of potential incarceration for the people whose personal information was exposed.

We’d wish you good luck as you scamper, little ratties, but hey, you know… karma and all that. We wish you no luck at all in escaping the long arm of the law, and the victims of your account hijackings no doubt share that attitude.

Still, we can’t be too tickled about crooks kicking each other’s shins off. Malware is a scourge that Sophos battles all the time, so we can’t applaud too loudly, even when, say, a Nigerian scammer infects himself.

And like we said when we reported about hackers hacking hackers – if hackers can be hacked, then so can you, if you aren’t careful.

So be careful!