User database posted online

[Nozavi]

Hello

It seems the user database has been hacked and posted online: https://twitter.com/#!/ObSec_/status/106024604832768000

[webfork]

Hello

It seems the user database has been hacked and posted online: https://twitter.com/#!/ObSec_/status/106024604832768000

And I was just having a conversation with someone about the recent "because we can" hack-a-thon going on.

[Hydaral]

I don't know what this is supposed to be, I just get a plain white page with the twitter bar at the top.

[Firewrath]

Seems like your browser isnt showing the twitter page correctly.

But crap like this is why i dont like signing up for anything on the web, -_-

[joby_toss]

This seems to be a serious problem!

Should we change our passwords, or ...?

Why the hell did this happen? Ooh...I'm having mixed feelings about this...I'd better stop writing until I say something I'll regret!

[I am Baas]

This seems to be a serious problem!

Should we change our passwords, or ...?

Why the hell did this happen? Ooh...I'm having mixed feelings about this...I'd better stop writing until I say something I'll regret!

It is very serious... waiting for a word from Andrew... don't want to say anything just yet. I immediately changed my password. There's nothing useful in my profile information but I don't want anyone posting on my name.

[SYSTEM]

Thank you for the heads-up, Nozavi.

Password Safe both generated a new password and will remember it for me. What a great application...

[Hydaral]

I disabled blocking on my browser, so now I can see the post, but both the pastebin links are dead.

It doesn't sound like it was that bad though, all our passwords are hashed, right?

[JohnTHaller]

This seems to be a serious problem!

Should we change our passwords, or ...?

Why the hell did this happen? Ooh...I'm having mixed feelings about this...I'd better stop writing until I say something I'll regret!

Yes, everyone should change their passwords, especially if they use the same password and login on other sites. phpBB uses a hashed password table (as any application should), but once someone has the hash to your password, they could brute-force it to figure out your possible password. And if you share that password and login with other sites (think PayPal, your email account, banking, etc) bad things can happen. So, yes, you should change your password as well as any other sites you use the same password on. And you should use a different password for each site. Something like KeePass can generate very secure passwords for you and remember them.

[SYSTEM]

I disabled blocking on my browser, so now I can see the post, but both the pastebin links are dead.

It doesn't sound like it was that bad though, all our passwords are hashed, right?

I saw the list and can confirm that the passwords are indeed hashed.

However, all email addresses were leaked as well.

In addition, cracking the passwords may be possible with rainbow tables.

[JohnTHaller]

However, all email addresses were leaked as well.

Right, forgot about that bit. I use a standard email account for all signups like this that is separate from my main ones to avoid excessive spam, but many other users may not.

[freakazoid]

Time to update and patch phpBB!

[joby_toss]

Hmm...this attack happened on July 5th! A SQL injection method was used. Damn!
I don't remember exactly, but wasn't that the time we started to get those login captcha requests?
And why did it took so long to find this out? Damn!

@Nozavi: Multumim frumos! Abia acum mi-am dat seama ca esti roman!

[webfork]

EDIT: NickR just explained this post is inaccurate. Ignore.

However, all email addresses were leaked as well.

Actually only emails, usernames, and hashed passwords were leaked through A-M. If your username starts with N - Z you might want to change your password just to be safe, but your email address hasn't been exposed.

[NickR]

@webfork - There was a second file which cobtained the data for everyone else ie Michael84 to Zurgerok
and then circa 200 more entries which were not listed alphabeticaly