RevolutionTT hacked?

It looks like the online bittorrent tracker RevolutionTT ("RevTT") has been hacked, or has it?


All I know for now, is that a user with the username Afghanis has posted this torrent on ThePirateBay: "RevTT accounts and passwords ( www.revolutiontt.me ) - Enjoy".

I downloaded the torrent, and this is what I found:

A "Read Me.nfo" file with the following text:
Hello World !!! From Civilized Afghan Socity, of course we do have stupid Talibans also but we do have very well educated people living in beautiful Kabul City ;-) RevolutionTT.Me (RevTT) Database Hacked by Afghanistan Hackers !!! Everyone, login to your favorite account, change the password and enjoy the site :-D A Special Thanks Goes to the US and NATO for supporting Afghanistan kicking Taliban out of Afghanistan and kicking Pakistani Terrorists out of Afghanistan too. Afghans will never forget what US/NATO did for Afghanistan. Thank You Once Again :-D HEIL to AFGHANISTAN !!!

A "RevTT (www.revolutiontt.me) Database (Username and passwords).rtf" file, with usernames and passwords:


Looking at the metadata of the Rich Text Format (.rtf) file, I found this:
\ansicpg1252 <-- U.S. Windows Code Page
\deflang1033 <-- default language (http://latex2rtf.sourceforge.net/RTF-Spec-1.0.txt)
\*\generator Msftedit 5.41.21.2510 <-- I got the same on my Win7 Pro using MS Wordpad
\sl276 <-- paragraph style (which one is 1276?)
\lang9 <-- language (not english?)


And for the torrent file:
Single Announce: http://fr33dom.h33t.com:3310/announce
Comment: Enjoy
Created by: uTorrent/2210
Creation date: Tue Sep 18 2012 20:39:16 GMT+0200 (Romance Daylight Time)
(Uploaded to TPB: 2012-09-18 22:21:09 GMT)


First I removed all lines not containing a username and password:
Total lines: 18158 (from 19048)
The I made a list of unique usernames: 7698
And one with unique passwords: 7703

Weird stats? Not really, users are more likely to type their password wrong, than their username (based on my own experience).

And just for fun, I made a list of users trying to login with their mail (list contain duplicates):
Trying to login with mail:
Gmails: 69 times
Hotmails: 64 times
Yahoo: 30 times


But does the usernames and passwords come from RevTT?
Well, look at these passwords:
r3v0lut!0n
PS.0MG_RTT_t0rr3ntz_PLZ_080601;
RTTludixrous
laRTTpw440
dig8talrevtt

Lets just say "probably" ;-)


Based on the strength of multiply of the passwords (e.g. 'PS.0MG_RTT_t0rr3ntz_PLZ_080601;' <-- I fucking like that guy!) and based on many duplicates, many different passwords for the same user, and based on the fact that RevTT has many more users than ~7k, then I conclude that these passwords wasn't bruteforces (from a database full of hashes), but instead probably 'sniffed'. Either someone got access to the server (and added a "save passwords remote/cleartext" to login.php), or maybe RevTT was a victim of MitM? (I've seen this before against torrent trackers). Right now RevTT is forcing https (credit to them!), but what I could read from some of the victims, is that this dump is old, so it might be before RevTT started using https only?