MacRumors user forums have been breached by hackers who may have acquired cryptographically protected passwords belonging to all 860,000 users, one of the top editors of the news website said Tuesday evening. "In situations like this, it's best to assume that your MacRumors Forum username, e-mail address and (hashed) password is now known," Editorial Director Arnold Kim wrote in a short advisory. He went on to advise users to change their passwords for their MacRumors accounts and any other website accounts that were protected by the same passcode.
The MacRumors intrusion involved "a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials," Kim said. The company is still investigating how the attacker managed to compromise the privileged account. "We're not sure how the original moderator's password was obtained, but it seems like they just logged in with it," Kim wrote in an e-mail to Ars. "We are looking into it further to see if there was another exploit, but there hasn't been any evidence of it yet." Kim also told Ars that log files examined so far seem to indicate the intruder "tried to access" the password database. At this early stage, there are no indications that the passwords, either in cryptographically hashed or cracked format, are circulating online. There's also no sign that the hackers were able to access any other data than that belonging to the use forums.
Kim went on to compare the hack to one that hit Ubuntu forums in July. The Ubuntu breach exposed cryptographically hashed password data for an estimated 1.82 million users to hackers who went on to deface the site's home page. Like the Ubuntu forums, MacRumors used the MD5 algorithm, along with a per-user cryptographic salt, to convert plain-text passwords into a one-way hash.
The scheme is the standard protection provided by VBulletin, the Web software used on both the Ubuntu and MacRumors forums. Still, many password experts consider the MD5 with or without salt to be an inadequate means of protecting stored passwords. They say that while per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little or nothing to delay the cracking of small numbers of hashes. That means the scheme deployed by MacRumors does nothing to prevent the decoding of individual hashes that may be targeted because of the attractiveness of the specific user it belongs to -- a high-ranking executive or celebrity, for instance, or people whose e-mail addresses belong to Fortune-500 domains.
Some MacRumors account holders have reported compromises affecting accounts they have on other sites, although at this early stage it's impossible to know if that's linked to the MacRumors security breach.
Readers who had MacRumors accounts would do well to follow Kim's advice and immediately change login credentials that use the same or similar password. They should also be vigilant of phishing attempts, since their user names and e-mail addresses have also been exposed.
This story originally appeared on ars technica
This article was originally published by WIRED UK
