Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,536
30,842


macrumorslogo.jpg
Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.

In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. While the passwords are "hashed" (which is a one-way conversion from your actual password to a scrambled version), given computing power these days, if your password isn't very complex, they could brute force figure it out by trying lots of combinations.

What this means for you, if you have a MacRumors Forums account, is the following:

1. Change your password on our forums. If you have any problems, please contact us.

2. If you used the same password on any other site, change it there also.

There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass or 1Password.

Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.

We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.


Why did I not get an email sooner?

According to our email service, sending such a large burst of email in one day to all of our users will result in many of those emails getting automatically blocked. As such, we are sending emails out over time to ensure they reach your inbox.

Article Link: MacRumors Forums: Security Leak
 
Article Link
https://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/
Last edited:
R

retroneo

macrumors 6502a
Apr 22, 2005
769
140
Why were you storing our passwords in the first place?

You are supposed to store an irreversible hash of them instead.
 
Last edited:
I

iLoveiTunes

macrumors 6502
Feb 26, 2011
268
512
holy moly..... :eek:

and there I was guessing MR admins were busy making Christmas cookies for everyone :D
 
Last edited:
Sheza

Sheza

macrumors 68020
Aug 14, 2010
2,083
1,802
You could have ****ing told us as soon as it happened, the forum had been in maintenance mode for ages, why not tell us as soon as you put it like that?
 
Last edited:
HappyDude20

HappyDude20

macrumors 68040
Jul 13, 2008
3,666
1,447
Los Angeles, Ca
Of all my years with MacRumors i've never seen anything like this.

I like MacRumors so much that i truly don't mind.

Just glad to be back on the forums!:D
 
J

JPBoram

macrumors newbie
Aug 30, 2013
23
0
lol

OMG! I added WP features to lock down my http://vaultfeed.com blog. this is scary!!!

However on a positive note, if your getting hacked, that means you were special enough for the attention ;)
 
Last edited:
ArtOfWarfare

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,560
6,059
When creating your new passwords, please keep this XKCD comic in mind and maybe we'll all have secure, easy to remember passwords:
password_strength.png
 
M

Mac_Max

macrumors 6502
Mar 8, 2004
404
1
You guys are using salted/hashed passwords right... right? That's what it says in the Canonical blog so I assume that's the case since you said the incident is similar.

If that is the cade I'm not too worried. That said, you should take the time to switch away from MD5 if you haven't already.
 
C

Chuck-Norris

macrumors 6502a
Sep 17, 2012
850
1
are you f ing serious???????? all my posts about screen retention and ipphone bitching is now on the net?????
 
LarryRoth

LarryRoth

macrumors newbie
Jun 25, 2010
4
1
Nice way to handle the situation

I just wanted to say that the transparent way you dealt with the unfortunate situation and the response you posted speaks highly of your site.

I've always enjoyed this site, and while I rarely post in the forum, I have found the comments and discussion to be very valuable.

Keep up the good work!
 
I

iCam

macrumors newbie
Oct 28, 2013
16
0
i know sumthing was up. everytime i clicked on a new thread it keep asking for my login info, even though i was already logged in.
 
Y

yg17

macrumors Pentium
Aug 1, 2004
15,027
3,002
St. Louis, MO
retroneo said:
Why were you storing our passwords in the first place?

You are supposed to an irreversible hash of them instead.
Click to expand...

vBulletin uses an MD5 hash with a salt to store passwords, so they're not being stored plain text, but who's to say they won't be brute forced? With breaches like this, you always assume the worst.
 
Z

ZOZO

macrumors member
Nov 11, 2013
65
0
arn said:
They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn
Click to expand...

i don't understand why the internet still uses MD5. Isn't SHA256 much more secure?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom