Hacker Stole 860,000 MacRumors Passwords, Tells Victims to Chill Out
Breaching the security of a website or Web service should be one of the most difficult tasks on earth, but given the fact that not a week can go by where we don't learn of some security issue at a major firm, it's clear that most of the Web is seriously lacking in setting up proper barriers.
In recent months, Adobe was hit particularly hard, what with "millions" of customers affected due to a breach that saw lots of credentials milked from its servers. This past July, Ubuntu's official forums also made headlines, thanks to a leak of data that affected nearly 2 million accounts. That issue ties indirectly into the latest breach, affecting tech site MacRumors.
Late this week, MacRumors posted a notice stating that someone had gained access to the database of its forums and thus made off with credentials for 860,000 accounts. For those who use a unique password for each Web service they use, the affects of this "hack" is admittedly little. Unfortunately, because many continue to share the same password amongst numerous accounts, the issue becomes much more severe for them.
Site Editorial Director Arnold Kim stated that the breach was similar to the one that struck the Ubuntu forums this past summer - both of which relied on vBulletin's forum software. Coincidentally, I received an email from vBulletin this morning which stated a similar issue affecting its own forums. Part of the message read:
We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.
This isn't the first time vBulletin has been in the news for security reasons, but this issue affecting its own service seems to be brand-new, and hasn't been reported on much (I couldn't even find a notice on its own website). I verified the issue by trying to log into the official forums, and sure enough, I'm prompted with a password reset.
Since the breach at MacRumors, the culprit has stated that he has no intention of causing trouble en masse. Instead, the leak was to sharpen some skills, and perhaps to teach people a lesson: "We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."
If you're not already in the habit of using a unique password on each service, wouldn't it be a great time to start? I'd recommend checking out a tool like LastPass to make things easier - it's one I've come to rely on heavily, as it makes juggling a countless number of complex passwords a non-issue.