Hack of MacRumors forums exposes password data for 860, 000 users

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://arstechnica.com/security/2013/11/hack-of-macrumors-forums-exposes-password-data-for-860000-users/

MacRumors user forums have been breached by hackers who may have acquired
cryptographically protected passwords belonging to all 860,000 users, one
of the top editors of the news website said Tuesday evening.

"In situations like this, it's best to assume that your MacRumors Forum
username, e-mail address and (hashed) password is now known," Editorial
Director Arnold Kim wrote in a short advisory. He went on to advise users
to change their passwords for their MacRumors accounts and any other
website accounts that were protected by the same passcode.

The MacRumors intrusion involved "a moderator account being logged into by
the hacker who then was able to escalate their privileges with the goals of
stealing user login credentials," Kim said. MacRumors is still
investigating how the attacker managed to compromise the privileged account.

"We're not sure how the original moderator's password was obtained, but it
seems like they just logged in with it," Kim wrote in an e-mail to Ars. "We
are looking into it further to see if there was another exploit, but there
hasn't been any evidence of it yet." Kim also told Ars that log files
examined so far seem to indicate that the intruder "tried to access" the
password database. At this early stage, there are no indications that the
passwords, either in cryptographically hashed or cracked format, are
circulating online. There's also no sign that the hackers were able to
access any other data than that belonging to the use forums.

Kim went on to compare the hack to one that hit Ubuntu forums in July. The
Ubuntu breach exposed cryptographically hashed password data for an
estimated 1.82 million users to hackers who went on to deface the site's
home page. Like the Ubuntu forums, MacRumors used the MD5 algorithm, along
with a per-user cryptographic salt, to convert plaintext passwords into a
one-way hash.

The scheme is the standard protection provided by VBulletin, the Web
software used on both the Ubuntu and MacRumors forums. Still, many password
experts consider the MD5 with or without salt to be an inadequate means of
protecting stored passwords. They say that while per-user salt slows down
the time it takes to crack large numbers of passwords in unison, it does
little or nothing to delay the cracking of small numbers of hashes. That
means the scheme deployed by MacRumors does nothing to prevent the decoding
of individual hashes that may be targeted because of the attractiveness of
the specific user it belongs to—a high-ranking executive or celebrity, for
instance, or people whose e-mail addresses belong to Fortune-500 domains.

Some MacRumors account holders have reported compromises affecting accounts
they have on other sites, although at this early stage it's impossible to
know if that's linked to the MacRumors security breach.

Readers who had MacRumors accounts would do well to follow Kim's advice and
immediately change login credentials that use the same or similar password.
They should also be vigilant of phishing attempts, since their user names
and e-mail addresses have also been exposed.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.