LibriVox Forum Hacked (fwd)

[security curmudgeon <jericho () attrition org>]

> From: <LibrivoxPasswordReset () librivox org>
> Date: May 26, 2011 11:37:21 PM CDT
> To: undisclosed-recipients:;
> Subject: URGENT: LibriVox Forum Hacked
> Reply-To: <LibrivoxPasswordReset () librivox org>

> The following is an e-mail sent to you by an administrator of "Librivox
> Forum". If this message is spam, contains abusive or other comments you
> find offensive please contact the webmaster of the board at the following
> address:
>
> LibrivoxPasswordReset () librivox org
>
> Include this full e-mail (particularly the headers).
>
> Message sent to you follows:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Dear Librivoxer,
>
> This is Hugh, the founder of LibriVox, writing to let you know that,
> unfortunately, a hacker broke into the LibriVox forum, caused a bit of
> damage (now fixed), but more worryingly, got access to our complete
> database including emails and encrypted passwords. We have locked them out
> of the system, and we?ve fixed the vandalism, but they still have our
> database.
>
> So, in order to protect our users & the LibriVox accounts:
>
> * we have RESET ALL USER PASSWORDS (including yours)
> * the next time you login your password will be invalid
> * you will have to reset your password, using this link:
> http://forum.librivox.org/ucp.php?mode=sendpassword
>
> NOTE1: PLEASE DO NOT USE THE SAME PASSWORD YOU USED BEFORE!
>
> NOTE2: IF YOU USE THE SAME PASSWORD ON OTHER INTERNET SERVICES, WE
> RECOMMEND YOU CHANGE THOSE PASSWORDS TOO.
>
> If you have difficulty resetting your password, please reply to this email
> and ask for help. Be sure to include your forum username.
> LibrivoxPasswordReset () librivox org
>
> In the interests of full disclosure, here is some extra information:
> (1) The database contained every piece of communications sent through the
> forum, including all private messages. This information is now in the
> possession of the hacker.
>
> (2) All forum passwords in the database are encrypted. However, if your
> password was very simple, it will be trivial for the hacker to break the
> encryption using "brute-force" techniques. They will likely attempt exactly
> this, so if you use the same password on any other Internet service, you
> should immediately change your password at those services.
>
> We are very sorry that this happened, and once this is sorted out as best
> as it can be, we?ll be doing a more thorough security review.
>
> If you have questions, please don?t hesitate to contact me.
>
> Sincerely,
> Hugh McGuire
> Founder, Librivox
>
>
> --
> The LibriVox Team
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/