Friend of our site


MMA Headlines


UFC HP


Josh Gross


MMA Fighting


MMA Torch


MMA Weekly


Sherdog (News)


Sherdog (Articles)


Lowkick


Liver Kick


Fightsport Asia


Caged In


MMA Junkie


MMA Mania


Bloody Elbow


Fightlinker


Fightnomics


MMA Ratings


Rating Fights


Infinite MMA


MMA Convert


Fightline


Fight Medicine


CompuBox


CompuStrike


MMA Frenzy


Ult MMA


Fighters


Kevin Iole


Yahoo MMA Blog


MMA Betting


Search this site



Latest Articles


News Corner


MMA Rising


MMA Chronicle


David Williams


Audio Corner


Oddscast


Tapout Radio


Sherdog Radio


Joe Ferraro


The Fightworks Podcast


Eddie Goldman


Pro MMA Radio


MMA Torch


Video Corner


Fight Hub


The Fight Nerd


Special thanks to...

Link Rolodex

Site Index


To access our list of posting topics and archives, click here.

Friend of our site


Buy and sell MMA photos at MMA Prints

Site feedback


Fox Sports: "Zach Arnold's Fight Opinion site is one of the best spots on the Web for thought-provoking MMA pieces."

Site Meter

« | Home | »

The Underground Forum hacking: what’s next for user protections?

By Zach Arnold | January 21, 2014

Print Friendly and PDF

When we posted our series of articles on the UFC Fight Pass web site, one thing we did not address were potential security issues that could be exploited by hackers. Once that topic was explored on Bloody Elbow, the intensity of the scrutiny was raised a few notches.

With security issues on the minds of UFC Fight Pass subscribers, this message for Underground Forum users surely was not comforting for hardcore MMA fans who are active on message boards. A hacker pretended to be Dana White for a chat on the Underground. Then the hacker pretended to be Dan Henderson.

Take note of the … diplomatic tone Kirik is using regarding the hacker.

The hacker’s actions are one thing, but it’s an entirely different issue when that same hacker allegedly attacked the site previously… and users were not told about the severity of the hack or the hack itself?

Two years ago, MentaL found a way to hack into the site, and very helpfully alerted us to it. We immediately fixed the hole. By immediate I mean someone started on it within minutes.

MentaL says that at the time we should have forced everyone to change their passwords, in case someone else had found the same hole that he did, and had bad intentions. I did not think anyone else but him had found the hole, and so with the fix in place, we did not force a wholesale change of PWs.

The site got hacked two years ago, users weren’t told, and the hacker warned the site to take action?

Update (evening of 1/21/2014): From the comments section by Kirik:

The above sentence is factually incorrect. The hacker did not warn the site to change passwords. That is something that was apparently on his mind, and two years later, he decided to make a point over. You can’t mix together incorrect supposition with quotes, and then say hey the quotes are right.

If the hacker proceeds to use information gleaned from the site and accesses/opens credit card accounts or hacks into sites for banking or shopping with information obtained from the Underground, then what liability issues are raised by the failure of the Underground to not disclose the previous site hacking from two years ago to users?

As you might imagine, a lot of people are freaked out. Has the FBI has contacted? If not, then why not? If no complaint is filed with the FBI, does it open the door for a potential class action civil lawsuit?

Next question: how was the hacker able to access the passwords?

The Underground Forum is asking all users to change their passwords. That’s where another freak out factor is happening. One source, who happens to be a very sharp lawyer, contacted me with the following:

I changed my password and the email address associated with [the account] because of the attack. When I changed the email address, they sent me my password in clear text!

From:
Date: Mon, Jan 20, 2014 at [redacted]
Subject: Mixed Martial Arts Registration Confirmation
To: [redacted]

To ensure delivery to your Inbox and to have images displayed properly, please add MixedMartialArts.com to your safe sendors list.

I would like to thank you for taking the time to register at MixedMartialArts.com, the worldwide leader in Mixed Martial Arts information. We hope you enjoy the site and look forward to your participation.

To complete your registration, follow the link below:

CLICK HERE

(If clicking on the link doesn’t work, try copying and pasting it into your browser. If you still have issues, then please goto the url below and use this key: [redacted password])

http://www.mixedmartialarts.com/?go=signup.ul&u=[redacted]

Login Information:
Email: [redacted]
Password: [redacted]

As with any large gathering of people, there are basic guidelines to follow so that everyone can enjoy the community. These will be covered in a following email.

Cheers,

Kirik Jenness
President, Mixed Martial Arts LLC

Mixed Martial Arts LLC.
1240 South East St.
Amherst, MA 01002
USA

Phone: (508) 443-3376
Check us out on Facebook
If you would like to unsubscribe and stop receiving these emails click here.

What’s the next shoe to drop?

Topics: MMA, Media, Zach Arnold | 9 Comments » | Permalink | Trackback |

9 Responses to “The Underground Forum hacking: what’s next for user protections?”

  1. 45 Huddle says:

    I guess the security of the site is about as good as it’s users. Which isn’t very good at all.

  2. Fluyid says:

    LOL. Kirik is one weird dude.

  3. Dude you know my email address. Dunno why posted incorrect information without asking me first.

    RE: The site got hacked two years ago, users weren’t told, and the hacker warned the site to take action?

    He never said to me that I should change passwords. He said “Hey there is a security hole here.” We patched it. This was two years ago. He apparently thought we should have told everyone to change their passwords, but that is not standard protocol when a potential security hole is found. So two years later he pranked the site to make his point, and explained why. It was the first I heard from him about changing PWs.

    He is not malicious. The same guy completely hacked BitTorrent; could have bought down half the Net, but he didn’t. As a hacker trophy, unbeknownst to me, he downloaded an encrypted list of user log in info, and using something called a Rainbow Table was able to guess some emails, and crack a handful of simple passwords (like numbers only, small number of them) and posted as Dana and Hendo, couple of others. he thought people would find it funny. Obviously his judgement is pretty bizarre, but he is not malicious. As I said, if he was, he would have done something with BitTorrent, which Hollywood would have paid him millions for.

    Anyway, if you have any questions, just ask. Please.

    • Zach Arnold says:

      How is posting an automated e-mail that a user gets for password resetting and linking to the post where I’m directly quoting you posting incorrect information?

      It’s not like I’m going out of my way to make up anything here. I fully understand the dangers & fears of having a site hacked, which is why I am so grateful and thankful for the webmaster that I have for everything he has done for me.

      I am not mocking you nor am I making light of the situation. I genuinely have sympathy for you regarding this situation. It is everyone’s worst nightmare coming to reality (the security of a web site).

      • “The site got hacked two years ago, users weren’t told, and the hacker warned the site to take action?”

        The above sentence is factually incorrect. The hacker did not warn the site to change passwords. That is something that was apparently on his mind, and two years later, he decided to make a point over. You can’t mix together incorrect supposition with quotes, and then say hey the quotes are right.

        I respect and even admire your work, and expect better.

    • m.m.d. says:

      So you can promise a response in a week or two and then bail out and ignore the request afterwards? How’s that working out for you so far?

  4. Jonathan says:

    What exactly is the Undgerground?

    I’ve been an MMA fan for 12 years now, I was a forum moderator over at Subfighter.com, and I’ve been reading industry websites for a long time. I was a Sherdog Insider, but I never posted one thing in their forums, and I have always heard of the Underground, but I’ve never actually been there.

  5. 45 Huddle says:

    Mr. Jenness speaks a nice game here… But lets be honest about what that website has become. A website he is in charge of….

    There is blatant racism on the website. There is constant bashing of the LGBT community on the website. And these aren’t one time problems. I am sure you can go to the website right now and find somebody putting down black people or calling somebody a “f#ggot”. I really can’t think of another website I have come across in the last few years that allows for such bad behavior of it’s members. Even YouTube has cleaned up their act.

    Maybe the things he is saying are true about the security of the website. But he sort of lacks a lot of credibility with how he allows things to go on over there. It reflects extremely poorly….

  6. go_long says:

    A hacker broke into Kiriks website and got access to the entire back-end, including the user database. The hacker notified him and warned him to take action to fix the vulnerabilities.

    Kirik decided that, even though his site was insecure and (at least) one hacker was able to access to the user database, he would not notify users or require them to change passwords.

    After being publicly shamed by the hacker 2 years later, Kirik decided to finally notify users and require them to change their passwords.

    Now he’s upset as to whether this article implies that the hacker’s warning to him included a warning to have users change their passwords? As if, after ~15 years of running a prominent website, he did not know that it was his duty to notify users and have them change their passwords after a hacker accessed them?

    Wow.

Comments

*
To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-spam image