Ubuntu Forum Hacked; 1.8 Million Accounts Compromised

The defacement was only online for a few minutes, but long enough for it to be captured: a gun-toting penguin that seems to be saying the hack was performed by @Sputn1k. A message beneath the image states, "None of this 'y3w g0t haxd by albani4 c3bir 4rmy' stuff. Straight up, you dun goofed. It's as simple as that."

Sputn1k, however, is not very popular. "You must feel proud defacing a site by volunteers. They dedicate time and effort to make a free distro. Worst kind of 'hacker'" tweeted Alex. "This jerk took down the Ubuntu Forums, one of the most important resources on the web. Let's hope he gets what's coming to him" tweeted Kim Belding.

Sputn1k himself has just three tweets on his own account, the latest of which simply reads, "Sputn1k beging for mercy #lulz."

The message from Canonical replacing the defacement provides further information. The message is still there at the time of writing this report. "Unfortunately", it says, "the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database." It adds that the passwords "are not stored in plain text, they are stored as salted hashes."

It doesn't say how many passwords have been stolen. The Register comments, "a quick trip to the site through the wayback machine produces a page stating the site has 1,824,159 members, of whom 19,493 are classified as 'active.'”

That's a lot of passwords – and undoubtedly that will include a lot of weak passwords and a lot of passwords that are used on other accounts. Despite the hashing and salting, the weak passwords will be easily cracked. And where those cracked passwords are used on other accounts, they will be compromised. "If you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP," warns Canonical.

But even without cracking the passwords, Graham Cluley sees another threat. The attackers have the email addresses of users known to have an interest in Ubuntu. Enough for a spam campaign, but "perhaps even launching a carefully-crafted attack designed to pique the interest of Ubuntu lovers." Victims of this hack should therefore also beware of Ubuntu-based phishing attacks.

What’s hot on Infosecurity Magazine?