Retro Regarding the Safety of Your Data on Habba.IO owned by Rain/Josh is being logged in plain text by the owner and leaked

[HabbaNotSafe]

Dear Habbo Retro Community, We hope this message finds you well, and we regret that we must bring some concerning news to your attention today. The commitment to your safety and the security of your personal information has prompted us to take this step, as we firmly believe you deserve to know which Habbo Hotels can be trusted with your data. Recently, we have discovered some unsettling practices taking place in a particular Habbo Hotel known as "Habba.IO Hotel," which is owned by Rain/Josh. It has come to our attention that your personal data is not being handled with the utmost care and security. We want to ensure that you, as a valued member of our community, are informed and can make informed decisions regarding your online activities. Here is what we have discovered: Storage of Personal Data in Plain Text: Rain/Josh is storing your personal data in plain text in their database tables. This means that your information, including passwords and IP addresses, is not adequately protected. Storing data in this manner is a significant security risk and raises serious concerns about your privacy.

Logging of User IP Addresses and Passwords: Furthermore, Rain/Josh has been logging your IP addresses and passwords in plain text. This is an alarming practice that can only raise questions about their intentions. The only plausible reason for this would be to attempt unauthorized access to your accounts outside of the Habbo retro community, such as your emails, social media accounts, and payment platforms. For the safety of your personal information, we strongly advise against using Habba.IO Hotel and urge you to change your passwords if you have used them on this platform. We also advise against using the database and CMS files that Rain/Josh has created however we'll provide them for you to see for yourself, so you can see it contains security vulnerabilities or exploits. If you choose to use these files, please do so at your own risk. We understand that you might be concerned about the accuracy of these claims, so we want to reassure you that we are prepared to provide evidence to support our findings. Your safety and the security of your data should always be a top priority, and we are committed to being transparent about these issues, unlike the hotel owner.

In the interest of promoting a secure and respectful Habbo Retro experience, we have decided to make this information public to protect our community members. We hope that, armed with this knowledge, you can make informed decisions about where to invest your time and trust within the Habbo Retro Community.

Thank you for your understanding, and please do not hesitate to reach out if you have any concerns or questions regarding this matter. Together, we can make the Habbo Retro community a safer and more enjoyable place for all.

P.S
We have decided in the best interest of the Habbo Retro community to NOT LEAK THE DATABASE since it contains too much sensitive personal user data in plain text to prevent other hotels in the community from being affected. The matter of what he's done to use his platform to gain his user's passwords and use it for his own malicious intentions/benefits is truly sad. This is a big part of the reason people don't trust the retro community due to a few bad owners who have popular hotels.

Please spread the word to people in the community to help future players avoid becoming victims of this reckless hotel OWNER actions.

Proof Of User Data Logging In Plain Text Screenshots:

You must be registered for see links

Sincerely,

The CMS is provided for proof if you want to look through it and how he logs your information within his hotel Habba.IO
CMS Download URL:

You must be registered for see links

@Rain

 

[Piccolo]

No surprise after all the stories going around. This only confirms. It's a shame people are still like this in this day and age.

They should also just get banned on findretros immediately in my opinion. This is because they are at the top. If more victims can be prevented, this is the best way.

Post automatically merged: Oct 23, 2023

@RastaLulz

 

[Puffin]

No surprise after all the stories going around. This only confirms. It's a shame people are still like this in this day and age.

They should also just get banned on findretros immediately in my opinion. This is because they are at the top. If more victims can be prevented, this is the best way.

Post automatically merged: Oct 23, 2023

@RastaLulz

I agree, this is a clear breach of trust within the community. People like this should be ousted,

 

[HabbaNotSafe]

No surprise after all the stories going around. This only confirms. It's a shame people are still like this in this day and age.

They should also just get banned on findretros immediately in my opinion. This is because they are at the top. If more victims can be prevented, this is the best way.

Post automatically merged: Oct 23, 2023

@RastaLulz

I strongly agree, that the matter is out of control there should be no way Habba.IO is allowed to be on FindRetros this puts FindRetro's reputation on the line. A lot of hotel owners support and trust FindRetros, however, they're allowing Habbo Retros with owners who are giving the English community a bad reputation which is already dying even more of a reason to die. I believe they should get people who care about FindRetros to moderate making new rules to protect the little of what is left of the Habbo Retro community so that in the future newcomers aren't scared away from situations like this happening. They also have a job to protect people from these kinds of malicious hotel owners because they allow this hotel to be on the front page of their site with their brand name next to it and people who have trusted FindRetros for years to bring them to good hotels.

I have tried for countless weeks to handle things behind the scenes the mature way. Josh/Rain refuses to admit to his wrongs and gaslights the matter, lying to his users telling them to change their passwords, and not the truth of the matter. He also tries to claim it isn't his files but it clearly is if you look through his Devbest account @Rain you'll see he's been using the same CMS base since 2014 which is LightShot CMS the same exact CMS I've released which is his.

Anybody with common sense and developing knowledge could go through the files I've provided and the ones on his website and see it's clearly his legit files there are too many junk files over the years he's decided to keep which link on habbo.io as well confirming it's the actual source.

Rain/Josh has always been this way even in 2014 he added a Flooder tool within his hotel files which he used in 2014 to attack other hotels, however while scanning the hotel files is when I found this in his CMS source which I have removed from the released copy due to the virus it contained. You can still access think link to download the actual file from his website.

Proof of this virus flooder tool is within his website files as well.
Do NOT DOWNLOAD THIS IS PROOF

You must be registered for see links

You must be registered for see images attach

You must be registered for see images attach

You must be registered for see images attach

P.S
I've also been made aware he's trying to do this same stuff into another foreign community with the hotel he owns called

You must be registered for see links

which I will also make that foreign community aware of the kind of person they're dealing with and to stay clear of any hotel he owns!


It now seems he's shutdown his hotel server at the moment and has not replied to take responsibility for his actions instead he's running away to hide probably. GUILTY written all over it at least man up to your actions.

He's now decided to put it back online, his hotel discord server is going crazy right now with this topic.

You must be registered for see images attach

You must be registered for see images attach

 

[Object]

Drama time! Grab the popcorn boyos.
Anyone with access to a database will have access to your IP, email and password. Always use a random password/fake email on retros.

The least you can expect from any website storing user information is to store users passwords with up2date hashing.

Anything less just screams you're up to no good. There's no reason to use any insecure hashing or no hashing at all, unless you're actually trying to abuse your users credentials

 

[Rain]

Are you serious?
The data logging was taken because of the constant hack attempts, I was trying to find out which form within the website had the vulnerability, which I did find. However, I will admit fault in saving HTTP requests as plain text, it was a poor mistake on my end, and it cost us dearly. Here you can see I have remedied this:

You must be registered for see images attach

Passwords have also been changed to Bcrypt to prevent data being released in the case of future intrusion:

You must be registered for see images attach

(encrypted the original password hash so people could log in to their existing accounts and change their passwords)

Also, LOIC is a useless HTTP flood tool that I had in my files to stress test my own hosting years ago, check the last modified time on the file. You can find more information about it here:

You must be registered for see links

- It's entirely useless for anything else, and I'm a little baffled that I'm being accused of keylogging and over LOIC....

Why say you're not releasing the database to protect the community, yet you've been using users passwords to access their accounts / discords ? I've done all the repairs I can, asked everyone to change their passwords, but there's only so much I can do from this point onwards.

I'm not too sure who's doing this, but I've never seen someone put so much effort into destroying other's fun. We're a strong community, and enjoy the time we have on the hotel. It is being made extremely difficult, and there are constant attempts to get at me personally.. to what gain? The community is dying and this behavior is only going to hurt the community even more

 

[HabbaNotSafe]

Drama time! Grab the popcorn boyos.
Anyone with access to a database will have access to your IP, email and password. Always use a random password/fake email on retros.

This is correct this is why we've decided it is in our best interest to not release the database and spread awareness.

The least you can expect from any website storing user information is to store users passwords with up2date hashing.

Anything less just screams you're up to no good. There's no reason to use any insecure hashing or no hashing at all, unless you're actually trying to abuse your users credentials

Yes, that is his exact reason there are post on Devbest from him in the past claiming he uses Bcyrpt Password hashing.

I forgot to mention as well I don't recall who it was who called him out on Discord or Devbest for faking his usercount which he tried to call them jealous

You must be registered for see images attach

You must be registered for see images attach

You must be registered for see images attach

This is also proof he'll lie about something as simple as faking his user count and make a essay explaining how other people are jealous and hating on him.

Thread:

You must be registered for see links

You can't talk yourself out of this one @Rain all the proof is provided.

You must be registered for see images attach

130769 to only find out hack attempts?? that's why all you've put all your users passwords/social media accounts/emails are in that table?

The truth is if this wasn't ever brought to the communities attention you'd still be doing the same thing. You're trying to talk yourself out of what you've done for years on end to people in the community. It shouldn't have taken over 6+ years for you to finally take these steps when being exposed.

 

[cammy]

This is correct this is why we've decided it is in our best interest to not release the database and spread awareness.

Yes, that is his exact reason there are post on Devbest from him in the past claiming he uses Bcyrpt Password hashing.

I forgot to mention as well I don't recall who it was who called him out on Discord or Devbest for faking his usercount which he tried to call them jealous

You must be registered for see images attach

You must be registered for see images attach

You must be registered for see images attach

This is also proof he'll lie about something as simple as faking his user count and make a essay explaining how other people are jealous and hating on him.

Thread:

You must be registered for see links

"We've decided not to release it", so it crossed your mind to release it? This is peak drama. Give us proof of someone being hacked, doxed, or someone downloading a virus. All we've seen so far is a very badly executed logging system, and an out of date http flooder.

 

[Rain]

Very true. But still, always use a random ass password.

The poor hashing was from RevCMS days when every hotel was using md5 - I'd never updated it throughout the years.
I would 100% second this though, never use passwords you use for other services, on retros. I didn't release anybody's passwords on purpose, they were in logs recorded by me and only ever meant to be seen by me, for XSS searching only - however, I never ever considered the malicious uses, and have since paid the price having the database stolen.

This is correct this is why we've decided it is in our best interest to not release the database and spread awareness.

Yes, that is his exact reason there are post on Devbest from him in the past claiming he uses Bcyrpt Password hashing.

I forgot to mention as well I don't recall who it was who called him out on Discord or Devbest for faking his usercount which he tried to call them jealous

You must be registered for see images attach

You must be registered for see images attach

You must be registered for see images attach

This is also proof he'll lie about something as simple as faking his user count and make a essay explaining how other people are jealous and hating on him.

Thread:

You must be registered for see links

Are you not making an essay hating on me right now? Who even are you? Just a hero to the community, or you prefer to stay hidden? I mean, since you're straight up acting an ass.

Also, I see you commented out a crucial line of code... As explained earlier, this is code from years ago, being used again - a lot has been removed using cheat fixes just like just setting the vars i don't want used to 0. It still needs to be cleaned up, however I will admit the password hashing was something I should have done better and the HTTP logging should have had more thought put into it regarding credentials.

 

[bigsmelly69]

Just a bystander, but this is so clearly fake I had to make an account.

This "HabbaNotSafe" entity has hacked numerous players' DISCORD accounts and spammed the link to THIS thread. How does hacking people get your point across? In what reality? I can promise you; not in this one. Makes you look even guiltier. Adding the part about Josh lying about user numbers just makes you look bitter and looks like you're grasping for ways to take him down personally. User count does not affect safety, I don't know shit about coding and even I know that. Rain/Josh has provided enough proof to make me think is he not only innocent, but he (and Habba) are also being attacked. @HabbaNotSafe I don't know what your motive is, but hacking retro users' Discord accounts and other hotels is just going to draw people away from retros entirely, not just Habba.

**Also: Rain not hashing the passwords was a mistake, but he ADMITTED to it and PROVED he fixed it. This "HabbaNotSafe" person(s) is just maliciously attacking people, which is not helpful in any way.

****Bystanders also know that the people DDOSing are in the retro community. You think hacking other retros will get you more money because they'll come to your retro, but they won't. They won't trust retros and quit. Y'all are disgusting and are digging your own grave.

 

[HabbaNotSafe]

The poor hashing was from RevCMS days when every hotel was using md5 - I'd never updated it throughout the years.
I would 100% second this though, never use passwords you use for other services, on retros. I didn't release anybody's passwords on purpose, they were in logs recorded by me and only ever meant to be seen by me, for XSS searching only - however, I never ever considered the malicious uses, and have since paid the price having the database stolen.

Are you not making an essay hating on me right now? Who even are you? Just a hero to the community, or you prefer to stay hidden? I mean, since you're straight up acting an ass.

Also, I see you commented out a crucial line of code... As explained earlier, this is code from years ago, being used again - a lot has been removed using cheat fixes just like just setting the vars i don't want used to 0. It still needs to be cleaned up, however I will admit the password hashing was something I should have done better and the HTTP logging should have had more thought put into it regarding credentials.

I love how you call everyone a hater when you're being called out on your bullshit. It's clear as daylight @Rain even @Liam called you out and you typed out an essay of how he was jealous of you and a hater. The sad truth is @Liam was right about you that you can't handle being exposed for who you are instead you try and talk yourself out of being exposed. I am sticking my ground and I will continue to spread awareness.

Does this look like weak hashing to you?

You must be registered for see images attach

P.S
You shouldn't own a hotel if you can't learn to protect other users data the right way before opening your hotel to the public there is not excuse for you allowing this to happen.

You can continue to reply nonsense, my goal of letting the community know the truth about you has been released. I don't have anymore reason to reply to you on here to entertain your stories and the quickest excuse you come up with for what you did. People are more than welcomed to DM me on here if they have questions or reply.

Post automatically merged: Oct 23, 2023

"We've decided not to release it", so it crossed your mind to release it? This is peak drama. Give us proof of someone being hacked, doxed, or someone downloading a virus. All we've seen so far is a very badly executed logging system, and an out of date http flooder.

You must be registered for see images attach

I will not expose the victim who spoke up about this experience since they use to be a Habba user it will only make them get targeted more.

Just a bystander, but this is so clearly fake I had to make an account.

This "HabbaNotSafe" entity has hacked numerous players' DISCORD accounts and spammed the link to THIS thread. How does hacking people get your point across? In what reality? I can promise you; not in this one. Makes you look even guiltier. Adding the part about Josh lying about user numbers just makes you look bitter and looks like you're grasping for ways to take him down personally. User count does not affect safety, I don't know shit about coding and even I know that. Rain/Josh has provided enough proof to make me think is he not only innocent, but he (and Habba) are also being attacked. @HabbaNotSafe I don't know what your motive is, but hacking retro users' Discord accounts and other hotels is just going to draw people away from retros entirely, not just Habba.

**Also: Rain not hashing the passwords was a mistake, but he ADMITTED to it and PROVED he fixed it. This "HabbaNotSafe" person(s) is just maliciously attacking people, which is not helpful in any way.

****Bystanders also know that the people DDOSing are in the retro community. You think hacking other retros will get you more money because they'll come to your retro, but they won't. They won't trust retros and quit. Y'all are disgusting and are digging your own grave.

Nice try @Rain

You must be registered for see images attach

 

[bigsmelly69]

You're claiming not to be @Rain you literally type the same exact way as him with the same grammar you're the most obvious alt. Look at your replies and his compare the two LOL come on bro.

what even is this argument. obvs me joining now is weird timing but you cannot compare grammar off of like 3 replies. mf thinks he a forensic linguist.

again, you are hacking the habba discord server and spamming the link to this thread. why would new people not join devbest and respond? more reason for me to believe you're lying.

also since ur such a big scary hacker you could've looked at the metadata on my screenshot (which doesnt even require hacking) to see I'm not Rain. literally idiotic

 

[Rain]

Well you've really made yourself look like an idiot now..

You're claiming not to be @Rain you literally type the same exact way as him with the same grammar you're the most obvious alt. Look at your replies and his compare the two LOL come on bro.

I mean, as much as people can DM you for "truth", I'll offer the same. If anybody wants a genuine run down of how this all went, feel free to HMU

 

[HabbaNotSafe]

Are we just gunna dodge the fact that you're apparently hacking people to get people to this thread? What's happening there?

Keep the same energy you've kept for @Rain with me. It's no time to be bias in this matter @cammy

Are you not making an essay hating on me right now? Who even are you? Just a hero to the community, or you prefer to stay hidden? I mean, since you're straight up acting an ass.

@cammy all sudden you know who I am? Trust me none of you know who I am, and I will keep it that way due to the stories I've heard about what @Rain has done to others.

it is very funny @cammy you're trying to twist the story to help your friend cover his lies.. it will not work. I have done none of these things because if I did I would have no issue leaking the database that is not in my morals, I have simply come here to expose the truth.

I have provided proof of my claims which you haven't of yours nor do you even know who I am to make such false claims.

 

[bigsmelly69]

Keep the same energy you've kept for @Rain with me. It's no time to be bias in this matter @cammy


@cammy all sudden you know who I am? Trust me none of you know who I am, and I will keep it that way due to the stories I've heard about what @Rain has done to others.

it is very funny @cammy you're trying to twist the story to help your friend cover his lies.. it will not work. I have done none of these things because if I did I would have no issue leaking the database that is not in my morals, I have simply come here to expose the truth.

I have provided proof of my claims which you haven't of yours nor do you even know who I am to make such false claims.

You're acting like some sort of prophet saving the retro community from being hacked. You are maliciously attacking and hacking people you ain't no fucking prophet. Until you find a different way to go about this, me (and probably everyone else who comes across this) will think you're a jobless nerd and not believe you.

In politics, hacking or cheating to win will not gain you votes, it will make you untrustworthy. Think Watergate. Same thing gonna happen here when it comes out that you (probably) own a competing retro. As I said, y'all retro owners are digging ur own graves.

 

[HabbaNotSafe]

You're acting like some sort of prophet saving the retro community from being hacked. You are maliciously attacking and hacking people you ain't no fucking prophet. Until you find a different way to go about this, me (and probably everyone else who comes across this) will think you're a jobless nerd and not believe you.

Again I will ask for proof of this because I haven't done these things and @Rain clearly stated in his message he doesn't know who I am and all sudden I've done these things to others? Get your guys story right at least if you're going to try and twist the story on me and reverse it for me exposing you. It is clear to see you're a user of Habba and friend of Rain which is alright. However I will not let you state false claims with no proof to back it up at least I provided hard proof. It's obvious he's had his friends try to come on Devbest to defend him for being exposed and that's fine their is 1 of me and 3 of you commenting back to back.

 

[cammy]

Keep the same energy you've kept for @Rain with me. It's no time to be bias in this matter @cammy


@cammy all sudden you know who I am? Trust me none of you know who I am, and I will keep it that way due to the stories I've heard about what @Rain has done to others.

it is very funny @cammy you're trying to twist the story to help your friend cover his lies.. it will not work. I have done none of these things because if I did I would have no issue leaking the database that is not in my morals, I have simply come here to expose the truth.

I have provided proof of my claims which you haven't of yours nor do you even know who I am to make such false claims.

I do not know rain. A simple "that's not true" would of sufficed but it seems like I've made good judgement here. This just looks like blatant gas lighting.

 

[bigsmelly69]

Again I will ask for proof of this because I haven't done these things and @Rain clearly stated in his message he doesn't know who I am and all sudden I've done these things to others? Get your guys story right at least if you're going to try and twist the story on me and reverse it for me exposing you. It is clear to see you're a user of Habba and friend of Rain which is already. However I will not let you state false claims with no proof to back it up at least I provided hard proof. It's obvious he's had his friends try to come on Devbest to defend him for being exposed and that's fine their is 1 of me and 3 of you commenting back to back.

I'm not his friend. I don't know for 100% certainty that he isn't a hacker. But I do know with 100% certainty that you ARE. It's as simple as that. Tell me why someone OTHER THAN YOU would hack someone's Discord account (who is a prominent retro user) and spam the link to THIS EXACT ARTICLE.

Tell me why someone TRYING TO HELP THE RETRO COMMUNITY WITH SAFETY would blatantly gaslight and pull outside and unrelated information (the user number lie) to prove their case. It's malicious and everyone's seen through it. That's why people are ganging up on you.

 

[Laynester]

I'm not his friend. I don't know for 100% certainty that he isn't a hacker. But I do know with 100% certainty that you ARE. It's as simple as that. Tell me why someone OTHER THAN YOU would hack someone's Discord account (who is a prominent retro user) and spam the link to THIS EXACT ARTICLE. First mistake.

Tell me why someone TRYING TO HELP THE RETRO COMMUNITY WITH SAFETY would blatantly gaslight and pull outside and unrelated information (the user number lie) to prove their case. It's malicious and everyone's seen through it. That's why people are ganging up on you.

how are u sure that its not rain using the passwords from his logs to get into peoples discords to make this thread look like a joke? a little common sense my guy

 

[HabbaNotSafe]

I'm not his friend. I don't know for 100% certainty that he isn't a hacker. But I do know with 100% certainty that you ARE. It's as simple as that. Tell me why someone OTHER THAN YOU would hack someone's Discord account (who is a prominent retro user) and spam the link to THIS EXACT ARTICLE. First mistake.

Tell me why someone TRYING TO HELP THE RETRO COMMUNITY WITH SAFETY would blatantly gaslight and pull outside and unrelated information (the user number lie) to prove their case. It's malicious and everyone's seen through it. That's why people are ganging up on you.

You're dodging the fact I've mentioned @Rain has stated he doesn't know who I am. Which you all of a sudden do and you know the guy? right... Now I am the hacker? It's simple provide proof to backup your false claims.

That's all I'm asking is provide proof...?

Post automatically merged: Oct 23, 2023

how are u sure that its not rain using the passwords from his logs to get into peoples discords to make this thread look like a joke? a little common sense my guy

Exactly this, I have provided countless proof and now @bigsmelly69 his friend wants to try and twist it on me. If I wanted to hack people or get into their Discord why would I bring attention to this topic? use common sense...