Ubuntu Forums hacked, 1.8 million passwords and emails stolen

Ubuntu hackedThere has been a massive data breach impacting over 1.8 million users of the Ubuntu operating system this weekend.

Canonical, the lead developers of the Ubuntu Linux-based operating system, has admitted that its online forums were not just defaced this weekend, but also that hackers managed to steal every users' email address, password and username from the Ubuntu Forums database.

The first clue that anything was amiss was when hackers posted a (hard-to-miss) message on the Ubuntu Forums homepage of a penguin holding a sniper's rifle:

Ubuntu forums defacement

This was later released by an official statement from Ubuntu Forums:

Ubuntu warns users

Ubuntu Forums is down for maintenance

There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly with progress reports.

What we know

  • Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.
  • The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
  • Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.

It's possible that the administrators of Ubuntu Forums weren't doing a great job keeping their forum and server software up-to-date, and this could have allowed the hackers to exploit a vulnerability.

In addition, I think some will raise an eyebrow at the vague language ("not stored in plaintext") used to describe how passwords were secured on the Ubuntu Forums. That seems a missed opportunity to help affected forum users assess how likely it is that their password will be cracked.

However, the advice to ensure that you are using different passwords on different websites is a good one. If you don't do that, there is always the risk that a hack in one place could lead to a security breach against other online accounts that you might own.

Of course, compromised passwords leading to account hacking aren't the only risk here. There is also the danger that the hackers could use the email addresses they have stolen for spam campaign, perhaps even launching a carefully-crafted attack designed to pique the interest of Ubuntu lovers.

If you ever registered an account on Ubuntu Forums, make sure you aren't using the same password anywhere else and be on your guard.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

5 Responses

  1. Edward Holcroft

    July 21, 2013 at 5:54 pm #

    Yeah well, hope you know more about 'puters than you do about guns:

    http://blog.robballen.com/Post/3717/because-im-nothing-if-not-helpful

    "sniper's rifle" … snicker

    ;-)

  2. Jeremi Gosney

    July 21, 2013 at 11:40 pm #

    Regarding how the passwords were stored, the site was running vBulletin, and therefore passwords were stored as md5(md5(pass).salt)

  3. Angga Lisdiyanto

    July 22, 2013 at 3:58 am #

    This is seriously danger, i hope the hackers just want to doing security test.

  4. Panamint Joe Smith

    July 25, 2013 at 10:23 pm #

    The Ubuntu Forums temporary splash page says the personal messages and posts have been lost. I hope they can find a way to restore at least the posts, as the forums have been a treasure trove of how-to information for Ubuntu Linux users, as well as other users of Debian-derivative systems.

Leave a Reply