An 800 megabyte MySQL database file is circulating online that contains names, 172,000 e-mail addresses, message histories and partially protected (cryptographically scrambled) login credentials for more than 158,000 forum users. The file also has some user birth dates, IP addresses, site activity and password changes, and all user messages sent through the service. In short, it’s a gold mine for criminal types looking to mount password-cracking campaigns, phishing gambits, identity fraud and more.
According to researchers at RiskBased Security, a person known as “ProbablyOnion” has taken credit for the breach, which happened sometime around March 10. The motivation? For the “lolz,” apparently.
“Mostly to make fun of Samsung, and whatnot,” he or she said, according to the security firm. “Plus, really, they’re running unsecure software and I’m still sitting with a backdoor on it, so really, they’ve learned nothing.”
The cryptology applied to the passwords is not enough protection, RiskBased Security added. “The passwords were apparently salted hashes and easily cracked,” it noted.
The hacker posted a message to the Boxee forums (which have since been taken offline) saying, “thanks for the root, Samsung. It was pretty easy actually.” And then he or she posted an example from the database containing security researcher Brian Krebs’ personal information, presumably to make a point about how anyone, even a security guru, can be a victim.
Perhaps because the compromised data is associated with forum activity instead of the service itself, Boxee has issued no statement on the breach. But users should take action.
“Please update the password for your boxee.tv account immediately," password management service LastPass said in an email sent to customers, reported by Ars Technica. "The LastPass Security Challenge, located in the Tools menu of the LastPass add-on, will help find any other accounts using the same password as the leaked account."