3

The popular MacRumors Forums site has confirmed that it was successfully hacked on Monday this week. The vBulletin powered forums fell victim to what it describes as a similar breach that hit the Ubuntu forums earlier in the year. "Our case is quite similar" says MacRumors founder Arnold Kim who continues "with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials." Unlike the Ubuntu breach, no site defacement appears to have taken place though.

In the case of MacRumors, that means some 860,000 usernames, emails and hashed passwords were potentially compromised. The official advice is to assume that your login is now known and passwords should be changed immediately. Amichai Shulman, CTO of security outfit Imperva, warns other forums that when "you use third party components you expose your network to the threats faced by all those applications, significantly increasing your attack surface." vBulletin was, of course, found to be vulnerable to an exploit that enables an attack to create a secondary admin account and effectively take control of the target site. DaniWeb used to operate on a heavily customised vBulletin platform but replaced this with a totally in-house developed proprietary platform last year.

Here's that MacRumors Forum confirmation in full:

Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.

In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. What this means for you, if you have a MacRumors Forums account, is the following:

  1. Change your password on our forums. If you have any problems, please contact us.

  2. If you used the same password on any other site, change it there also.

There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass, 1Password or iCloud keychain in Mavericks.

Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.

We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

1
Contributor
0
Replies
26
Views
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.