MacRumors hacked - 860,000 email addresses and hashed passwords stolen

The forums of popular Apple news website MacRumors were hacked earlier this week, exposing the usernames, email addresses and hashed passwords of over 860,000 members.

MacRumors announced the security breach in a posting on its site.

MacRumors announcement

Part of the alert read:

Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.

In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. What this means for you, if you have a MacRumors Forums account, is the following:

1. Change your password on our forums. If you have any problems, please contact us.

2. If you used the same password on any other site, change it there also.

It appears that the hackers managed to gain unauthorised access to MacRumors user database after compromising a moderator's account - raising questions of how diligent that particular user was being with their security.

MacRumors Editorial Director Arnold Kim told readers that the exposed passwords were salted and hashed, using vBulletin's standard MD5 algorithm.

Unfortunately, that's probably an inadequate way to store passwords these days. The use of a different salt for each user can slow down mass-cracking of passwords, but does little to prevent specific users having their passwords determined.

Sensible password security for internet users

MacRumorsAlthough questions may be raised about how well it was protecting its database of passwords, MacRumors should be applauded for offering its readers some sound advice in the wake of the security breach.

You should never use the same password in multiple places, so if there is a risk that your MacRumors might have been exposed, you should be sure to choose a new, hard-to-crack password not just for the MacRumors site, but also for *any* *other* website which could be compromised as a result.

I'm still getting people smirking when I say this, and they can't stop themselves from responding: "That's fine for you to say, Graham. But how am I supposed to *remember* all these passwords for different websites? Your advice is impractical!"

Well, that's why you should simply use password management software like Bitwarden, 1Password, or KeePass. They will not only do the password-remembering for you, but also help by generating hard-to-crack, complex passwords in the first place.

In my view it's much safer to use good password management software than rely on yourself to dream up and remember all of your internet passwords.

Hacker: "We're not going to leak anything"

Fascinatingly, someone claiming to be the hacker has posted on MacRumors own forums about the breach.

Someone calling themselves Lol, claimed to be the person responsible for the hack and said they had no plans to leak any of the stolen information, and were not using the stolen passwords to log into other online accounts.

Post by person claiming to be the hacker

We're not "mass cracking" the hashes. It doesn't take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Whether "Lol" really is the hacker (it certainly appears that they have inside knowledge), and whether they can be trusted not to exploit the stolen information, is another question entirely of course.

Regardless of their motivation, the hacker has broken the law by breaching MacRumors security.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

2 Responses

  1. Michael W

    November 15, 2013 at 9:07 am #

    I just heard the news. The MacRumors folks are good people. The biggers news is the allegation that vBulletin.com was hacked. I just saw it on Facebook and discovered your article performing a search. So far I haven't heard anything from vBulletin about what, if anything, may have been compromised.

    • Graham Cluley in reply to Michael W.

      November 20, 2013 at 1:59 pm #

      See here for updates from vBulletin:

      https://www.grahamcluley.com/vbulletin-hacked/

      https://www.grahamcluley.com/vbulletin-denies-hackers-claims-zero-day-exploit-forum-software/

Leave a Reply