Ubuntu forums breached - all passwords compromised

[+] welder|12 years ago|reply

So glad I use a random different password for EVERY account.

[+] tommaxwell|12 years ago|reply

Not sure if sarcasm, or you're saying you use the same password on every site.

[+] elchief|12 years ago|reply

hopefully it's not {password}ubuntuforums.org and {password}google.com ...

[+] favadi|12 years ago|reply

The best joke ever.

[+] lcedp|12 years ago|reply

Well, salted hashed - not exactly "passwords compromised"?

[+] harrytuttle|12 years ago|reply

As good as.

$stored = md5(md5($password) + $salt);

That is the simple hash function.

[+] nnwa|12 years ago|reply

As I said when I previously commented. I find it pretty ironic that these kind of breaches could have been avoided by simply creating a whitelist for their admin panel. This isn't rocket science. The majority of breaches of these size that keep occurring are password reuse, or open admin panels (bruteforce attacks). Who needs a vulnerability when an attacker can simply look up the Administrators on databases they already have?

[+] lukeman|12 years ago|reply

It would be nice if they'd allow you to test whether your email was in the data. As-is I'm left wondering if I ever had an account.

[+] seewhat|12 years ago|reply

I believe Canonical sent warning emails to ubuntuforums.org account addresses.

[+] narsil|12 years ago|reply

Previous discussion here: https://news.ycombinator.com/item?id=6078588

[+] rob22|12 years ago|reply

its a forum.people simply asking their doubts. why they were hacking these sites.. I can't figure it out exactly..

[+] aram|12 years ago|reply

Email addresses + passwords + possibly other things as well.

Many people reuse the same email and password on other services/websites, so this is pretty valuable and sensitive information.

[+] Sanddancer|12 years ago|reply

Assholes who just like kicking anthills, assholes who seek to get peoples' accounts for profit, and assholes who like kicking anthills for profit.

[+] thejosh|12 years ago|reply

People use the same passwords for multiple things. If they have passwords for one site they can try it for multiple websites.

[+] jonnyscholes|12 years ago|reply

emails + password re-usage = profit

[+] mukundmr|12 years ago|reply

I hope they used something sensible like bcrypt for encryption instead of MD5 which is too easy to crack these days.

[+] RossM|12 years ago|reply

As far as I remember they were running vBulletin, which uses salted md5.

http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4...

[+] pkolaczk|12 years ago|reply

Usually it is the password itself that is attacked, not the hashing algorithm. Many people use weak passwords and it is not that hard to use dictionary attacks against them.

[+] kachnuv_ocasek|12 years ago|reply

It's not encryption, it's hashing. Also, I don't see how MD5 is easy to crack.

[+] jlebrech|12 years ago|reply

this is why I always use a memorable low-entropy password for forums and high-entropy from emails.

any unimportant site that demands a high security password (or low-entropy with silly rules) get put into my keypass.

[+] blablabla123|12 years ago|reply

note to myself: don't use primary mail account for website registrations

[+] sspiff|12 years ago|reply

I switched to using a few registration-specific emails after getting my own domain: [email protected] for really dodgy sites or sites I suspect will generate a bunch of crap periodical emails, and [email protected] for the sites I have a little more faith in.

It allows for much easier filtering of my email as well: I only get the emails I care for in my inbox.

[+] trvz|12 years ago|reply

"If they can't keep their forums secure, why should I even use their operating system?"

[+] ygra|12 years ago|reply

Because very likely very different people work on administering the fora and developing the operating system.

44 comments