[WARNING] Habbeh Hotel - Abusing user data

[Weasel]

Please read this carefully. If you are registered on Habbeh Hotel, please change your password if you also use this on other websites, such as DevBest.

After the suspension of Habbeh Hotel on FindRetros, we have seen a lot of compromised accounts on DevBest that all lead back to the owner of Habbeh Hotel. Currently, DevBest Staff have banned multiple compromised accounts. The owner of Habbeh Hotel has also been permantly banned from DevBest since quite a while, also due to posting user data for the public to see.

We strongly advice to stay away from Habbeh Hotel, for your own safety. If you still want to visit, make sure you use a VPN and a unique password you don't use for anything else.

Also refer to this thread by @Canadian:

You must be registered for see links

 

[Hayd3n]

Ok idk where you're getting this false information from but I have a good idea,
Habbeh uses Bcrypt hash for password / staff pins and nothing has been changed in the backend since I gave him the cms. There only 2 people I can think of who would try and put the blame on habbeh and they've both been deranked cause they opened their own hotels.

Can you pm with more information about this, if it is true I won't be helping them anymore

 

[Weasel]

Ok idk where you're getting this false information from but I have a good idea,
Habbeh uses Bcrypt hash for password / staff pins and nothing has been changed in the backend since I gave him the cms. There only 2 people I can think of who would try and put the blame on habbeh and they've both been deranked cause they opened their own hotels.

Can you pm with more information about this, if it is true I won't be helping them anymore

We won't share anything that has been provided to DevBest and FindRetros Staff. However we have enough proof, besides our own logs on DevBest that proof a lot of accounts have been compromised by the owner of Habbeh.

Some of the information provided to us also show your involvement with what caused Habbeh to be suspended in the first place. DevBest Super Moderation and FindRetros Staff don't open community alerts warning our users without valid proof and investigation.

 

[Ecko]

Ok idk where you're getting this false information from but I have a good idea,
Habbeh uses Bcrypt hash for password / staff pins and nothing has been changed in the backend since I gave him the cms. There only 2 people I can think of who would try and put the blame on habbeh and they've both been deranked cause they opened their own hotels.

Can you pm with more information about this, if it is true I won't be helping them anymore

It's not that hard to write inputted passwords to a text file and have them saved in plaintext (not saying that's what is happening here, but fairly simple to get user passwords by just having access to the code and not having access to the database).

 

[Kak]

If you still want to visit, make sure you use a VPN and a unique password you don't use for anything else.

if u cant play the hotel like normal and safely without risking personal data to be stolen there is no point playing it at all then tbh vpn or no vpn

 

[MayoMayn]

Not only do they steal peoples passwords or whatever, They also black mail you with your own private social media .. GREAT hotel.

Uhm, how can you be black mailed with your social media account? You do realize it's public, right?

 

[griimnak]

Common sense, use this rule when signing up for all Habbo retros:

• Do not use a real password.

We have all (for the most part) worked with revcms, ubercms blah etc etc, right?
Well then you should know that most of these small scale Habbo retros don't even salt their passwords.
Perhaps i'm outdated, correct me if i'm wrong, but early 2013 i remember it being as easy as someone just searching "md5/sha converter".

b smart, use bcrypt @future retro owners

 

[Hayd3n]

Common sense, use this rule when signing up for all Habbo retros:

• Do not use a real password.

We have all (for the most part) worked with revcms, ubercms blah etc etc, right?
Well then you should know that most of these small scale Habbo retros don't even salt their passwords.
Perhaps i'm outdated, correct me if i'm wrong, but early 2013 i remember it being as easy as someone just searching "md5/sha converter".

b smart, use bcrypt @future retro owners

It uses bcrypt

 

[Weasel]

It uses bcrypt

When the owner is in the wrong, it's not that hard to write the inputted passwords somewhere else.

 

[Sledmore]

While I wouldn't trust the owners of that hotel regardless of any outcome, I gotta say its a 50/50 chance that they're screwing around.

Most of this occurred after the recent leak of their web, which has multiple exploits - you could (still can) upload a shell through one of the pages, another one had their SQL connection details (which wasn't closed or limited...)

Not defending the hotel, just saying.

 

[MayoMayn]

While I wouldn't trust the owners of that hotel regardless of any outcome, I gotta say its a 50/50 chance that they're screwing around.

Most of this occurred after the recent leak of their web, which has multiple exploits - you could (still can) upload a shell through one of the pages, another one had their SQL connection details (which wasn't closed or limited...)

Not defending the hotel, just saying.

Exploit or not, it's still the owners responsibility to prevent such a thing.
If they had some common sense, they would've fixed it.

Pretty sure none of them prevents CSRF or a Rate Limiter to prevent time attacks.

 

[Bossman]

It uses bcrypt

Just because you've shown a screenshot doesn't prove anything... You could be logging all logins in plain text in a different table or even a text document like a phisher would for all we know.

With an ego like Sebs it wouldn't surprise me.

 

[BIOS]

Sigh. No. 1 basic rule: never re-use passwords.

Those accounts which were compromised deserve it for trusting these idiots with such sensitive information in the first place.

Ok idk where you're getting this false information from but I have a good idea,
Habbeh uses Bcrypt hash for password / staff pins and nothing has been changed in the backend since I gave him the cms. There only 2 people I can think of who would try and put the blame on habbeh and they've both been deranked cause they opened their own hotels.

Can you pm with more information about this, if it is true I won't be helping them anymore

Can you confirm that this is false? How do you know nothing has changed in the back-end, you must have access to the code and/or database in discussion? If so, then who else does?

Your argument is pretty weak & it seems the owner is pretty careless. Regardless of what hashing is being used to store the passwords, it doesn't mean it cannot be intercepted during transmission or before it is processed.

Besides, even bcrypt isn't bulletproof if you're not properly enforcing strong password entropy (something most hotels do not). This would just make it easier for an offline attack to take place.

Exploit or not, it's still the owners responsibility to prevent such a thing.
If they had some common sense, they would've fixed it.

Pretty sure none of them prevents CSRF or a Rate Limiter to prevent time attacks.

The correct implementation of bcrypt is already somewhat protected against timing attacks, regardless of any other application level mechanisms.

That doesn't mean if you're using a weak password (say, < 8 & only alphanumeric) it cannot be found pretty quickly by someone with a dictionary & offline access to the database.

 

[Thomasss]

I own a hotel and if I'm honest I wouldn't call myself a developer. I have joined retro's in the past and I've had this issue where people were logging into my account somehow even though it was a hard password. When I started owning hotels I understood how it all worked. Is there not a way to somehow patch the Password section in Database ( Users )
I think personally if that was gone it would be more secure for the users and they're private information? Obviously owners shouldn't be doing that but surely that is a illegal hence data protection? I may be wrong just trying to understand further.

 

[CosmoPeak]

So if that happened, is there a way of still regaining users passwords?

I was joking -- in seriousness, no, any sensible hotel should receive the password and store it encrypted in the database (preferably with a modern encryption method). it's impossible to know if the owners of a hotel is doing anything with the password (such as storing it as plaintext), but it's up to you to use proper passwords and decide if you trust a particular hotel or not. if someone's doing something dodgy, there's not much you can do about that. password's need to be stored somewhere.

 

[Joe]

Pretty sure Habbeh closed already lul

 

[Weasel]

Pretty sure Habbeh closed already lul

Same warning goes for HabFun and Peace Hotel, both owned by the same guy.

 

[Hayd3n]

Same warning goes for HabFun and Peace Hotel, both owned by the same guy.

i don't own habfun
He gave up on it so I redirected it and he has nothing to do with peace

 

[Weasel]

i don't own habfun
He gave up on it so I redirected it and he has nothing to do with peace

Yeah well, we have screens saying otherwise. The fact that you had access to the VPS same as Seb says enough too.

 

[Hayd3n]

Ok buddy, can you show me these "screens"?
Also I had access cause I gave him everything for that hotel (cms/emu) and one of my servers.