MacRumors Forums: Security Leak

[MacRumors]

Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.

In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. While the passwords are "hashed" (which is a one-way conversion from your actual password to a scrambled version), given computing power these days, if your password isn't very complex, they could brute force figure it out by trying lots of combinations.

What this means for you, if you have a MacRumors Forums account, is the following:

1. Change your password on our forums. If you have any problems, please contact us.

2. If you used the same password on any other site, change it there also.

There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass or 1Password.

Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.

We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.


Why did I not get an email sooner?

According to our email service, sending such a large burst of email in one day to all of our users will result in many of those emails getting automatically blocked. As such, we are sending emails out over time to ensure they reach your inbox.

Article Link: MacRumors Forums: Security Leak

 

[MiBook84]

Password security level please?

 

[Michaelgtrusa]

Ok thank you! Will do.

 

[retroneo]

Why were you storing our passwords in the first place?

You are supposed to store an irreversible hash of them instead.

 

[iLoveiTunes]

holy moly.....

and there I was guessing MR admins were busy making Christmas cookies for everyone

 

[Sheza]

You could have ****ing told us as soon as it happened, the forum had been in maintenance mode for ages, why not tell us as soon as you put it like that?

 

[maxwelltech]

Wow. I hope I have not been infected.

 

[HappyDude20]

Of all my years with MacRumors i've never seen anything like this.

I like MacRumors so much that i truly don't mind.

Just glad to be back on the forums!

 

[cs02rm0]

Were passwords hashed, salted, plain text...?

 

[brand]

Why are you storing our passwords in the first place?

Shouldn't you be storing an irreversible hash of them instead?

Don't forget the salt.

 

[JPBoram]

lol

OMG! I added WP features to lock down my http://vaultfeed.com blog. this is scary!!!

However on a positive note, if your getting hacked, that means you were special enough for the attention

 

[ArtOfWarfare]

When creating your new passwords, please keep this XKCD comic in mind and maybe we'll all have secure, easy to remember passwords:

 

[Mac_Max]

You guys are using salted/hashed passwords right... right? That's what it says in the Canonical blog so I assume that's the case since you said the incident is similar.

If that is the cade I'm not too worried. That said, you should take the time to switch away from MD5 if you haven't already.

 

[unibility]

...should have gotten LifeLock.

 

[0997853]

Wow, the best rumour ever.

 

[ZOZO]

The question is... Who dun it?

 

[Chuck-Norris]

are you f ing serious???????? all my posts about screen retention and ipphone bitching is now on the net?????

 

[arn]

Password security level please?

Were passwords hashed, salted, plain text...?

They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn

 

[Lapidus]

Probably a very clever ad for iCloud Keychain

 

[OlMighty]

Is this why there are so many posts about that psychic analyst guy?

 

[LarryRoth]

Nice way to handle the situation

I just wanted to say that the transparent way you dealt with the unfortunate situation and the response you posted speaks highly of your site.

I've always enjoyed this site, and while I rarely post in the forum, I have found the comments and discussion to be very valuable.

Keep up the good work!

 

[iCam]

i know sumthing was up. everytime i clicked on a new thread it keep asking for my login info, even though i was already logged in.

 

[yg17]

Why were you storing our passwords in the first place?

You are supposed to an irreversible hash of them instead.

vBulletin uses an MD5 hash with a salt to store passwords, so they're not being stored plain text, but who's to say they won't be brute forced? With breaches like this, you always assume the worst.

 

[dannyp1996]

Just changed my password using the safari suggested password, and have done this for all my accounts recently. Really useful tool.

 

[ZOZO]

They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn

i don't understand why the internet still uses MD5. Isn't SHA256 much more secure?