Although MacRumors has given little information yet, the reality is it has acted quickly in informing its users of the breach. "Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July," wrote Arnold Kim. "Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials."
"Someone gained access to a privileged account and then used that as a jump point into the system," explained independent pen tester and password specialist Robin Wood to Infosecurity. "That could either have been through password guessing, dropping malware on the moderator's machine or a few other techniques; there is no way to know unless they tell us."
Kim has been refreshingly open so far. He doesn't say that the entire database was stolen (although he doesn't say it wasn't), but admits that "We believe that at least some user information was obtained during the attack." He then adds that users should assume that their username, email address and the hashed password is now known. Asked how the passwords were stored, he said, "They are vBulletin's standard MD5 hashed and salted. Which is not that strong, so assume that your password can be determined with time."
"It is good that they came forward and announced it," said Wood, "but it is so big I don't think they would have got away with trying to hide it – so no point trying." But it is not so good that MD5 was used. "The fact the passwords were hashed and salted is better than them just being hashed, or worse stored as clear text," Wood explained; "but the fact they used MD5 means they are at higher risk of being cracked despite the complexity added by the salt."
David Harley, a senior research fellow at ESET, believes the speed with which MacRumors admitted the breach goes some way to mitigating the potential effects. "They didn’t mess about trying to remediate, apparently prioritizing the welfare of their customers," Harley said. In some ways it now boils down to a race – will the hackers crack passwords that are also used in other accounts before the 860,000 MacRumors users can change them?
That race may be quite urgent – some users have already given indications of possible hacker activity. "I received a notification from Yahoo saying my account was locked due to suspicious activity,” posted one user to the forum. “I was surprised, as I hadn't been doing anything with it in the last few days.”
"It seems that we increasingly have to give the same advice following breaches like this," Harley told Infosecurity. "Change your password on the compromised site; change it anywhere you used the same password (but not to the same password as you used on the compromised site." And if you have problems remembering multiple passwords, use a password manager. "The ones recommended by MacRumors are sound, as far as I know," he added – but warned that care is still needed: "there are a lot of ‘security programs’ turning up on search engines that are snake oil or even actively malicious."