Gun-wielding penguin promises not to leak 1.8 million passwords stolen from Ubuntu Forums

Last weekend there was a massive data breach, resulting in the email address, password and username of Ubuntu's online forums being stolen.

The hacker who claimed responsibility, Sputn1k_, defaced the site with an image of a gun-wiedling penguin.

Ubuntu forums defacement

At the time of writing, Ubuntu Forums is still down for maintenance, while its administrators check that they have properly hardened its defences against future exploitation. They are also, presumably, busy wiping some of the egg off their face after what appears to be an embarrassing example of an organisation not running a tight ship security-wise.

Perhaps the length of the downtime indicates that they are undergoing a major overhaul of the site, perhaps throwing out vBulletin which they were using to run their forums before for something else.

The silver lining on the cloud is that Sputn1k_ (man, that underscore is so irritating) says that he has no intentions to exploit the personal information he stole.

Message from Sputn1K

You can stop worrying about your passwords. Yes, they were encrypted. Encrypted with the default vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be the strongest, when you're dealing with 1.8m users it would take a very long time to get anywhere with the hashes. You don't have to worry about a DB leak. That isn't how I like to do things.

If I do get into a website, most of the time there's no REAL malicious intentions. Grab the database, leave a message. That's it. I don't like to over-do things. Might cause some downtime, but what if it WAS the "syr14n c3b3r 4rmy" (not that their brain-dead brains have the power to do anything whatsoever), and they did have malicious intentions, and they did leak the database and use it to their own advantage?

Oh, and keep on raging and sending me rage tweets, I love it.

Sputn1k_ may try to ease his conscience with claims that he had no "real" malicious intent, but this was still a case of unauthorised access to a computer system which means it was a crime. Furthermore, he made unauthorised changes to the computer system by defacing the Ubuntu Forums site.

If Sputn1k_ is identitified by the computer crime authorities he may come to regret taking credit for the hack quite so publicly.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

One Response

  1. cypherpunk

    July 23, 2013 at 2:18 pm #

    Seems like Twitter suspended his username? Or he closed his account?

Leave a Reply