Trading Paints Data Breach: Over 270.000 Account Login Credentials Leaked

Trading Paints Leak 2023 Header.jpg
Running custom liveries in iRacing has never been easier than with Trading Paints. Sim racers are urged to change their passwords and not use the application for the time being, however: The third-party program has suffered a big security breach, with login data of over 270.000 accounts being leaked.

Change Your Passwords!​

Spotted by X (formerly Twitter) user Musantro, the breach sees the leaked login credentials being for sale. Of course, this is an enormous security risk, especially for those who used the same combination of email and password for other sites, so it is recommended to change your Trading Paints password and do so on any site that used the same combination as well.


iRacing's Senior DevOps Engineer Nicholas Bailey has confirmed the issue in a forum post, advising users to try and use a password manager for future passwords that are harder to crack. Trading Paints themselves are aware of the issues and have already begun work to try and fix the problem.


There had initially been some confusion as to whether or not it would be safe to use the Trading Paints downloader after changing passwords. Trading Paints have answered that question in another Tweet, stating that login credentials are not stored in the downloader itself - however, until there is confirmation that nothing else within the software has been compromised, it might be a good idea to stop using Trading Paints altogether and uninstall it to avoid any potential issues.

How is iRacing Going to React?​

With Trading Paints, iRacing users can run custom liveries on their cars and see the designs of anyone else who uses the application when on track. This means easy distribution of paint schemes, as they are all downloaded automatically when entering a session so the user only has to set things up once to see the liveries of their competitors.

After the security breach at hand, it could be a possibility that iRacing is going to look into implementing such a service themselves rather than having users rely on a third-party application that could potentially harm their iRacing accounts.
  • Like
Reactions: Foresight and Adyl
About author
Yannik Haustein
Lifelong motorsport enthusiast and sim racing aficionado, walking racing history encyclopedia.

Sim racing editor, streamer and one half of the SimRacing Buddies podcast (warning, German!).

Heel & Toe Gang 4 life :D

Comments

How's RD's security? Assume you guys hold over a million accounts or so? That's quite a responsibility. I'm not accusing here, just curious :thumbsup:
 
Last edited:
Premium
How's RD's security? Assume you guys hold over a million accounts or so? That's quite a responsibility. I'm not accusing here, just curious :thumbsup:
I believe it's 3 million, that would be a worthy sale for the unscrupulous. but it's all about nothing's free, every site wants something, even if it's just the email addy to add to a list.
 
Premium
I think it was about the time that Yahoo got hacked for a billion accounts that I realized when companies say X accounts hacked/leaked they really don't know and it's just everything and I now just assume all my info is hacked and on the darkweb.

Keep as much info to yourself. Go (pseudo)-anonymous as much as possible. Let your browser or other password manager remember your passwords for you. Prefer proven end-to-end encrypted services where possible. Minimize your exposure by resisting the urge to install every little app.
 
How's RD's security? Assume you guys hold over a million accounts or so? That's quite a responsibility. I'm not accusing here, just curious :thumbsup:
Xenforo, this forum software, uses a one-way hashing algorithm. The Trading Paints passwords were stored in MD5, unsalted, where I was able to confirm the site hack was legit by pasting the text of my password into a form on a Web site and it instantly returned the real password I used when I registered there like 15 years ago. Storing unsalted MD5 was bad in 2003, never mind 2023.

(I was able to see the text of my password as I was included in the 'sample' the hacker posted where he is trying to sell the data).
 
Last edited:
Xenforo, this forum software, uses a one-way hashing algorithm. The Trading Paints passwords were stored in MD5, unsalted, where I was able to confirm the site hack was legit by pasting the text of my password into a form on a Web site and it instantly returned the real password I used when I registered there like 15 years ago. Storing unsalted MD5 was bad in 2003, never mind 2023.

(I was able to see the text of my password as I was included in the 'sample' the hacker posted where he is trying to sell the data).
That's a future flex isn't it: "I was considered interesting enough to be a data sample in a stolen datset"
 
Staff
Premium
Xenforo, this forum software, uses a one-way hashing algorithm. The Trading Paints passwords were stored in MD5, unsalted, where I was able to confirm the site hack was legit by pasting the text of my password into a form on a Web site and it instantly returned the real password I used when I registered there like 15 years ago. Storing unsalted MD5 was bad in 2003, never mind 2023.

(I was able to see the text of my password as I was included in the 'sample' the hacker posted where he is trying to sell the data).
Agreed. Using unsalted password hashing is absolutely inexcusable and has been so for a long time. Users don't need to understand this, but anyone writing software for a website certainly should.
Xenforo's approach is pretty healthy I reckon.
No website is hack-proof but use of salted hashes with an "expensive" hash function does at least limit the damage if/when the database is breached.
(NB: MD5 hashes are also one-way, but relatively "cheap".)
 
Generally speaking it's better to connect to a different login service like steam or discord, that way you're never ever dealing with credentials on your server.
With an external authentication system only the client will ever have to remember a token.
 
Hands up who has enabled dual verification for RaceDepartment ?
Hands up who has changed their router password ?
Hands up who pays for top VPN and password manager ?

You reap what you sow. :coffee:
 
Hands up who has enabled dual verification for RaceDepartment ?
Hands up who has changed their router password ?
Hands up who pays for top VPN and password manager ?

You reap what you sow. :coffee:
This is whataboutism at its finest. Asking whether endusers have their own security measures in place. When the topic is about companies protecting large data sets to protect you as a customer. And in my case: no-yes-yes. Soon to be a yes-yes-yes (thanks for pointing out there is MFA on RD) except for VPN because I don't trust most of these services.

So when curiously asking how RD's security is, I mean: network layering, tiered server infra, role based access, protection from SQL injections, backup/restore plan, DNS protection, TLS certificate management etc.
And then after that we as customers should indeed take matters into our own hands by protecting our own identity and data, for as good as we can.

We live in a world of (interconnected) web services. It's hard for most people to manage their digital identity. On top of that, there is a lot of pressure to use things most people don't understand. Like 80 year old people e-banking because all the real life bank offices have closed.
The European Union made clear the people need to be protected, by introducing the GDPR which -by law- demands companies and governments to protect their customers' data. RD is a company.
 
Premium
This is how the Big guys take out the little guys. Opportunity precents itself , Bang!! Lion vs Deer.
 
Last edited:

Latest News

Article information

Author
Yannik Haustein
Article read time
2 min read
Views
4,122
Comments
16
Last update

What would be the ideal raceday for you to join our Club Races?

  • Monday

    Votes: 23 14.6%
  • Tuesday

    Votes: 19 12.0%
  • Wednesday

    Votes: 23 14.6%
  • Thursday

    Votes: 21 13.3%
  • Friday

    Votes: 57 36.1%
  • Saturday

    Votes: 92 58.2%
  • Sunday

    Votes: 59 37.3%
Back
Top