If you’re one of the may people using the third party app to run custom liveries on iRacing, make sure you update your password, with Trading Paints user data leaked and for sale online. Around 270,000 accounts are impacted, and the breach has since been officially confirmed.
The issue was first shared by @Musantro on X (formerly Twitter), who linked to a forum displaying the emails and MD5 hased passwords for users including iracing staff Steve Myers, Greg Hill, Nim Cross and more.
Trading Paints is an application which was created by a small team, which isn’t linked to iRacing. And it has been around for years, allowing many people easily design or use custom liveries, visible in the racing sim to anyone else also running the application. So it’s extremely popular, and often one of the first free apps recommended to anyone signing up to iRacing. Especially as it makes it easier to run set liveries in league racing.
The breach has been confirmed by both iRacing staff on the official forum, and by Trading Paints themselves.
If you’re an existing Trading Paints user, then it’s important to reset your password as soon as possible, especially if you’ve also used it elsewhere (especially if that’s your iRacing account, for example). And to use unique passwords in future (you can keep track using various apps, techniques or pen and paper).
Trading Paints does store your iRacing ID number to sync your accounts, but doesn’t require your password for the sim racing service, so if you haven’t used the same thing on both services, your iRacing account hopefully won’t be impacted.
There’s no information regarding any other data being compromised, and Trading Paints Pro memberships are bought via PayPal as a payment processor, so you’re not entering any details directly into the website itself.
Unfortunately, the MD5 hash function has been known to be flawed and vulnerable for many years, but is still utilised by a significant number of widely used content management systems and other applications. So you should assume that your old password has been compromised, and ensure it’s reset. It’s also likely that once the Trading Paints team have investigated the source of the data leak and ensured it’s secured that they’ll ask users to update passwords again, whether it was due to a software issue, or an individual.
Leave a Reply