Private Tracker Account Theft On The Rise: The Danger of Shared Seedboxes

June 11, 2009 by sharky

Just about everyone starting out in the world of seedboxes usually begins on a shared seedbox. They’re much more affordable (when compared to a dedicated box), they come pre-configured with a BitTorrent GUI & client, and there’s usually no setup fee. Simply pay, login to the box, and start adding torrents. Recently, however; there’s been an increasing trend whereby users of shared seedboxes are having their private tracker accounts hijacked. We explain how & why this is happening - and what you can do to prevent it.

Choose Wisely: Trust Your ‘Shared Seedbox’ Provider

On par with any Internet-based supplier, there are trustworthy reputable seedbox providers - and there are also unscrupulous scammers looking for a quick buck. The reality is, just about anyone can become a so-called "seedbox provider". Nobody wants to lose money for unrendered services or be forced to launch PayPal disputes. But there’s also the danger of having your private tracker accounts stolen.

Certain private trackers are reporting an alarming increase in account theft, solely related to the use of shared seedboxes. It works like this: the owner of the seedbox obtains your login details (username & password) to your private tracker account. Once logged in to the tracker, the password and email address are promptly changed in the user profile - and *presto* you’ve lost the ability to login. However, what cannot be changed is the username, which can be useful when attempting to recover the account, notably through a private tracker’s IRC channel.

Hijacked accounts can be sold on eBay, Craigslist etc. or quickly traded for other sites on torrent forums.

Protecting Your Tracker Accounts

Never give out your account information.

Some seedbox providers may outright ask you for your private tracker account details, perhaps to troubleshoot a problem such as transfer speeds. Under no circumstances should anyone divulge such information - it will not help solve any issues pertaining to speed or problems with the seedbox.

Never login to your private tracker account from your seedbox.

When you login to your private tracker account through a seedbox, it’s completely reasonable to assume that the owner of the seedbox server can steal your account information (login details). The ‘cookies’ may be left on the server (either through a previously used proxy, or a web browser cache) - thus your account info is retained for future access. It is unknown if a keylogger is being used to record this info, but likely not even required.

Essentially there are only a couple of ways that you can login to your tracker account via a shared seedbox; both should be avoided.

Seedbox Proxy: Some seedbox providers supply a proxy with the server, in order for users to be able to download torrents directly to the box. While 99% of private trackers have now adopted the passkey system; this is no longer necessary in most cases. One major exception is Demonoid.com - you’ll need to use a proxy or web browser on the seedbox to get the stats for the torrent to be counted towards your account. Otherwise, don’t use a proxy associated directly with the seedbox.

Desktop/Web Browser Access: Providers may offer "desktop" access to the server, whereby an Internet browser such as Firefox is available directly through the seedbox. This is especially true of Windows servers, but can also be found on Linux/*nix OSes as in the case with Ubuntu Desktop. Do not login to your private trackers from a seedbox web browser.

Passkey Theft

It’s unlikely that your tracker account can be stolen just from knowing the passkey in the torrent, but this is also a threat. Someone who obtains your passkey can manipulate the statistics on your account which can lead to unfavorable ratios, H&Rs, or even you being banned. Your passkey can also be used to upload bad torrents or download files without your knowledge.

Take for example: TorrentFlux. A provider (admin) of a seedbox running TorrentFlux has access to all of the torrents from all of the users. These are saved in a central location on the server (outside of the BT UI), and are not removed through TFlux even when "deleted" or "deleted with data" is applied. Below is a example of the path to all .torrent files on the server, as connected through SFTP:

Tips / What To Avoid

• Opt for a shared seedbox from a reputable supplier; one that’s been in business for awhile and has positive feedback (most torrent forums have discussion areas for this). Private tracker forums can also be a great place to find a seedbox - just be sure to check out the member first.

• Don’t use the same username/password on a seedbox that you use on your private tracker accounts (if applicable). Most seedbox providers will give you a random password, anyways.

• Avoid any seedbox offers through email, or through PMs on torrent boards and/or private trackers. Report these PMs to an admin on the site.

• Steer clear of services that offer to seed your torrents for you, or free seedbox offers (free torrent slots). Also avoid the use of temporary seedboxes. If it sounds too good to be true, it probably is.