Ya know, i used to enjoy a little TTR every now and then.But, now im afraid to even log in because of all these hacks ive been hearing about. I mean they should prevent it better, like getting some better protection against hacking.
It wasn't exactly hacking. The "hacker" ddosed the TTR servers. This means they intentionally overloaded the servers by sending a ton of information to them. This caused the servers to be shut down. Ddos protection isn't easy or cheap, and literally anyone can ddos something and shut it down.
The "hacker" found a exploit within the TTR login. This exploit did
not allow for passwords to be leaked at all. But it in a way did leak usernames. Basically when signing up for an account, if you enter a username that is already taken, it will ask you to pick another one and say that the username was taken. This happens for every account creation on every site ever. However with TTR you did not
need to enter a email adress when signing up so you would not need a valid one, or one that had already been used.
This allowed the "hacker," I will now call him an exploiter, to create a simple script, or program, to automatically send in a huge list of possible, or theoretical, usernames and then write the taken ones down in a simple text file. He then used a brute forcing method for figuring out passwords.
Brute forcing is the act of trying password after password until you get it correct. Because this exploiter already had a large list of usernames, he simply threw together a list of the world's most common passwords, and wrote a simple program to try each of the passwords with each username.
If your password was common and simple enough to be on the list, bam. He had your account. If your password was secure, you were fine.
TTR has since patched the exploit to get the usernames, and has put in added security so that you may only try to login to an account a fixed number of times before having to wait. This reduces the risk of brute forcing as the brute forcer would have to enter say, 5 passwords, fail. Then wait 30 minutes to do it again. Its unlikely someone would go through that.
Simply have a good strong password and you are fine.