Gun-wielding penguin promises not to leak 1.8 million passwords stolen from Ubuntu Forums

Graham Cluley

Last weekend there was a massive data breach, resulting in the email address, password and username of Ubuntu’s online forums being stolen.

The hacker who claimed responsibility, Sputn1k_, defaced the site with an image of a gun-wiedling penguin.

Ubuntu forums defacement

At the time of writing, Ubuntu Forums is still down for maintenance, while its administrators check that they have properly hardened its defences against future exploitation. They are also, presumably, busy wiping some of the egg off their face after what appears to be an embarrassing example of an organisation not running a tight ship security-wise.

Perhaps the length of the downtime indicates that they are undergoing a major overhaul of the site, perhaps throwing out vBulletin which they were using to run their forums before for something else.

The silver lining on the cloud is that Sputn1k_ (man, that underscore is so irritating) says that he has no intentions to exploit the personal information he stole.

Message from Sputn1K

You can stop worrying about your passwords. Yes, they were encrypted. Encrypted with the default vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be the strongest, when you’re dealing with 1.8m users it would take a very long time to get anywhere with the hashes. You don’t have to worry about a DB leak. That isn’t how I like to do things.

If I do get into a website, most of the time there’s no REAL malicious intentions. Grab the database, leave a message. That’s it. I don’t like to over-do things. Might cause some downtime, but what if it WAS the “syr14n c3b3r 4rmy” (not that their brain-dead brains have the power to do anything whatsoever), and they did have malicious intentions, and they did leak the database and use it to their own advantage?

Oh, and keep on raging and sending me rage tweets, I love it.

Sputn1k_ may try to ease his conscience with claims that he had no “real” malicious intent, but this was still a case of unauthorised access to a computer system which means it was a crime. Furthermore, he made unauthorised changes to the computer system by defacing the Ubuntu Forums site.

If Sputn1k_ is identitified by the computer crime authorities he may come to regret taking credit for the hack quite so publicly.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Gun-wielding penguin promises not to leak 1.8 million passwords stolen from Ubuntu Forums”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES