It looks like the online bittorrent tracker RevolutionTT ("RevTT") has been hacked, or has it?
All I know for now, is that a user with the username Afghanis has posted this torrent on ThePirateBay: "RevTT accounts and passwords ( www.revolutiontt.me ) - Enjoy".
I downloaded the torrent, and this is what I found:
A "Read Me.nfo" file with the following text:
A "RevTT (www.revolutiontt.me) Database (Username and passwords).rtf" file, with usernames and passwords:
Looking at the metadata of the Rich Text Format (.rtf) file, I found this:
\ansicpg1252 <-- U.S. Windows Code Page
\deflang1033 <-- default language (http://latex2rtf.sourceforge.net/RTF-Spec-1.0.txt)
\*\generator Msftedit 22.214.171.1240 <-- I got the same on my Win7 Pro using MS Wordpad
\sl276 <-- paragraph style (which one is 1276?)
\lang9 <-- language (not english?)
And for the torrent file:
Single Announce: http://fr33dom.h33t.com:3310/announce
Created by: uTorrent/2210
Creation date: Tue Sep 18 2012 20:39:16 GMT+0200 (Romance Daylight Time)
(Uploaded to TPB: 2012-09-18 22:21:09 GMT)
First I removed all lines not containing a username and password:
Total lines: 18158 (from 19048)
The I made a list of unique usernames: 7698
And one with unique passwords: 7703
Weird stats? Not really, users are more likely to type their password wrong, than their username (based on my own experience).
And just for fun, I made a list of users trying to login with their mail (list contain duplicates):
Trying to login with mail:
Gmails: 69 times
Hotmails: 64 times
Yahoo: 30 times
But does the usernames and passwords come from RevTT?
Well, look at these passwords:
Lets just say "probably" ;-)
Based on the strength of multiply of the passwords (e.g. 'PS.0MG_RTT_t0rr3ntz_PLZ_080601;' <-- I fucking like that guy!) and based on many duplicates, many different passwords for the same user, and based on the fact that RevTT has many more users than ~7k, then I conclude that these passwords wasn't bruteforces (from a database full of hashes), but instead probably 'sniffed'. Either someone got access to the server (and added a "save passwords remote/cleartext" to login.php), or maybe RevTT was a victim of MitM? (I've seen this before against torrent trackers). Right now RevTT is forcing https (credit to them!), but what I could read from some of the victims, is that this dump is old, so it might be before RevTT started using https only?