The popular MacRumors Forums site has confirmed that it was successfully hacked on Monday this week. The vBulletin powered forums fell victim to what it describes as a similar breach that hit the Ubuntu forums earlier in the year. "Our case is quite similar" says MacRumors founder Arnold Kim who continues "with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials." Unlike the Ubuntu breach, no site defacement appears to have taken place though.
In the case of MacRumors, that means some 860,000 usernames, emails and hashed passwords were potentially compromised. The official advice is to assume that your login is now known and passwords should be changed immediately. Amichai Shulman, CTO of security outfit Imperva, warns other forums that when "you use third party components you expose your network to the threats faced by all those applications, significantly increasing your attack surface." vBulletin was, of course, found to be vulnerable to an exploit that enables an attack to create a secondary admin account and effectively take control of the target site. DaniWeb used to operate on a heavily customised vBulletin platform but replaced this with a totally in-house developed proprietary platform last year.
Here's that MacRumors Forum confirmation in full:
Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.
In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. What this means for you, if you have a MacRumors Forums account, is the following:
Change your password on our forums. If you have any problems, please contact us.
If you used the same password on any other site, change it there also.
There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass, 1Password or iCloud keychain in Mavericks.
Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.
We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.