Ubuntu forums compromised, details syphoned away

[d_brennen]

Hello,

You are receiving this message because you have an account registered with this address on ubuntuforums.org.

The Ubuntu forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted copy of your password from the forum database.

If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

The ubuntuforums.org website is currently offline and we are working to restore this service. Please take the time to change your ubuntuforums.org account password when service is restored.

We apologize for any inconvenience to the Ubuntu community, thank you for your understanding.

The Canonical Sysadmins.

Just a heads up in case you haven't seen the email. I do wonder if the passwords were really encrypted...

 

[Deleted member 77746]

oh dear!

 

[Hyburnate]

Yeah got the email a couple of days back... The passwords would have just had basic encryption that comes with the original install so easily decrypted.

 

[KIA]

md5+salt?

Strong passwords FTW.

 

[d_brennen]

Yeah got the email a couple of days back... The passwords would have just had basic encryption that comes with the original install so easily decrypted.

COUPLE of days? I got it at 4.30 this morning. Cheers, Comical Sysadmins

 

[Phantom Shadow]

COUPLE of days? I got it at 4.30 this morning. Cheers, Comical Sysadmins

presumable would be some kind of hash such as md5 as said above, so not necessarily that easy to decrypt since it isn't a reversible process? Unless you have a simple password that one of those websites will have that saves the word and its' hash to try and enable a decryption.

 

[BigglesPiP]

presumable would be some kind of hash such as md5 as said above, so not necessarily that easy to decrypt since it isn't a reversible process? Unless you have a simple password that one of those websites will have that saves the word and its' hash to try and enable a decryption.

MD5 attacks are getting very fast now, and the "dictonary" for want of a better word that the hackers use is very well tuned now.

Be assured that if you even had a good password, it will be found. If you also used it for your email or something important where your email is your username, you should certainly change that.

 

[eXor]

md5+salt?

Strong passwords FTW.

Once upon a time, maybe. Not now

Why passwords have never been weaker—and crackers have never been stronger

 

[KIA]

Be assured that if you even had a good password, it will be found.

^SCxWSP=5'L7+qwZDil3cLE,PV5:bn

Have fun.

 

[BigglesPiP]

^SCxWSP=5'L7+qwZDil3cLE,PV5:bn

Have fun.

I'm not renting an Amazon cloud instance to prove a point. If it was randomly generated alphanumeric, it's worth a couple of months. If it was something more memorable, a good hacker will have it in much shorter order, they don't share their "dictionaries" readily.

Edit:
The "dictionary" as I'm calling it gets a bit of a description in this rather interesting article: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

It gets improved based on what worked best in previous attacks. One cracked "momof3g8kids" early on. Truly random passwords are a matter of computing power, and with md5 your password will be found soon.

If someone has the hash database, just stop using that password.

 

[KIA]

Truly random passwords are a matter of computing power, and with md5 your password will be found soon.

Sure it will.

 

[theheyes]

The point is md5 isn't really fit for purpose any more. The aren't the first and won't be the last, but an offical community forum for an operating system should have had a more secure solution.

 

[Tuvoc]

Is the forum back up ?

 

[Hyburnate]

Is the forum back up ?

Surely in the time it took you to login to the forums and make that post, you could have just gone to the forums and found out?

 

[Tony Williams]

bit of a fight going on 'ere, claim down skeeter - he aint hurting anyyone.

 

[Tuvoc]

It is so long ago that I used those forums (2010) that I'm not sure I am affected. I have an email at my email address for my original registration, but the forum now says that there is no registration under that email address when I ask for a password reminder. And I note it is a new Ubuntu One sign-on now or something, which I don't think existed back then. But then again, I did get the warning email about the hack, so I'm confused... oh well.