The hacker behind the MacRumors Forums breach said the attack was “friendly” and that none of the data accessed will be leaked. Editorial Director Arnold Kim confirmed to Threatpost that a post on the forums from the hacker is legitimate.
Kim posted an advisory on the forum on Monday informing users that a breach had occurred, and advising the site’s 860,000-plus members to change their passwords on the forum and anywhere else they might have used the same credential. MacRumors Forums said it has enlisted a third-party security firm to investigate the attack, which it likened to a July break-in at the Ubuntu Forums.
The hacker, who posted the portion of Kim’s password hash and salt as proof of his legitimacy, blamed a MacRumors Forums moderator whose credentials were stolen and used to access the password database.
“We’re not going to ‘leak’ anything. There’s no reason for us to. There’s no fun in that. Don’t believe us if you don’t want to, we honestly could not care less,” the hacker wrote. Kim said this afternoon that the site has no further details on the status of the investigation.
“In situations like this, it’s best to assume that your MacRumors Forum username, email address and (hashed) password is now known,” Kim said.
The hacker confirmed that 860,106 passwords were dumped, and 488,429 still had a salt at least three bits long.
“Anyone that’d been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do, it’s like to have many with a 3 bit salt),” the hacker’s post said. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results.”
The hacker said put the blame on users for re-using passwords, which is against generally accepted security practices, adding that the credentials are not being exploited to log into web-based email accounts or other online services.
“We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place,” the hacker wrote.
MacRumors Forums, much like the Ubuntu site, runs on the vBulletin platform; all current versions of vBulletin share the same hashing algorithm, according to the attacker, who added that the attack’s success had nothing to do with outdated software or vBulletin, rather the moderator credentials they were able to compromise.
The attack on free Linux distribution Ubuntu in July affected close to 2 million of its forum account members. The access every user’s email address and hashed passwords; Canonical, a U.K.-based software company that backs the distro, also recommended that its users change their forum passwords and anywhere else the password might have been used. Ubuntu’s password trove was also hashed and salted; salting involves adding random characters to a password before it’s hashed. The practice reduces the ability of a hacker to use common password attacks such as dictionary attacks.
“Consider the ‘malicious’ attack friendly,” the MacRumors Forums hacker said. “The situation could have been catastrophically worse if some fame-drive idiot was the culprit and the database were to be leaked to the public.”