1.82m affected by Ubuntu Forums data breach; passwords stolen

The Ubuntu forums are the latest to suffer a data breach, from a hacker, taking place last night. An estimated 1.82 million accounts have been affected and at the time of writing the site is still down for maintenance.

According to the placeholder page currently on the Ubuntu site, only the forums were affected with Ubuntu One, Launchpad and other Ubuntu/Canonical services escaping the breach. The page also asks that although passwords were not stored in plain text, users who use the same password for multiple services such as email are "strongly encouraged to change the password on the other service ASAP." They also specifically admit that the hacker going by the name of @Sputn1k_ managed to grab "every user's local username, password, and email address from the Ubuntu Forums database."

The Twitter account currently only has 5 Tweets which are seemingly unrelated to the hack, with only 83 followers at the time of writing; but that hasn't stopped users of the Ubuntu forum reaching out to slam the hack.

Some users even opted to reach out and try to find out what the music was that was loaded into the page briefly before it was taken down.

The replaced page also linked to a "shoutout" to Twitter user @rootinabox, who appears to be based in the Netherlands and last tweeted just over two weeks ago.

The Ubuntu forums uses vBulletin, which is a popular web-based forum software.

Source ZDNet | Image courtesy of ZDNet

Report a problem with article
Previous Story

Member Reviews: Acer Aspire S3 Ultrabook

Next Story

Neowin: Why haven't you registered yet? And ad changes

72 Comments

Commenting is disabled on this article.

Scroogled said,
Were they running Linux servers on the backend?

Not a big surprise, Ubuntu's forum web server reports itself as Apache/2.2.22 (Ubuntu).

It helps when the people behind a project have some level of competency with security. Not saying the Ubuntu Forum owners/maintainers don't, but at the same time the fact that VBul has been cracked into multiple times in the past, I haven't once seen an article about a forum database cracked into that was running XenForo for example.

Simply put: FOSS doesn't mean everything behind it will be crap. It's only as good as the people running it.

Lord Method Man said,
FOSS = You get what you pay for

So you paid for the NSA backdoor in the Windows encryption driver in the System32 folder? Good to know.

Gerowen said,

So you paid for the NSA backdoor in the Windows encryption driver in the System32 folder? Good to know.


No you didn't, as there isn't such a thing. That crap is one of the longest running urban myths in tech history.

I just wish people wouldn't do these sorts of things (naive, I know).

I had to change my password as I was using my Ubuntu One password as my log in for the forums there. At least it wasn't as much bother as the Playstation hack, which meant a credit card change for me.

I think it's good when talented people test systems for security, but they should share any vulnerabilities they find ONLY with the people who own those systems (white hat). Otherwise, they are just criminals (black hat).

Oh, and I know I'm naive for saying this, but I don't understand those people who find this sort of thing something to laugh at.

Because it's ubuntu. supposedly the "most secure, reliable and advanced OS in the world"... but as always Cannonical will say that those forums were running in IIS8 and Windows Server 2012 R2 and of course it's MS fault lol

I could be jokey and say this means Canonical and Ubuntu have 'arrived'.

But why is any of this funny? Any time a company gets hacked, we users are at risk. Why is that funny?

wingliston said,
1.82m users use Ubuntu forum, Windows 8 isn't doing well. Chromebooks sales are skyrocketing. Switch to Linux.

lol nail it!

Phouchg said,
So, only people 1.82m tall were targeted. See what happens when you share too much information on the internets?

lmfao

yowanvista said,
Why were those retards still using MD5 in the first place? Can't they just use SHA-2?

Be glad the password were encrypted. There were many hacked sites in the past where they were plain text and those were major companies.

For the purposes of obscuring a password, MD5 can offer some security. Just not in untouched form. If you add a salt to each password stored, then any attempt to crack the passwords retrieved using an MD5 comparison would require you to regenerate the comparison list on each password, assuming you have the salts as well (which should be stored in a different database). Ideally you would use a more secure method of one-way encryption though, and there is little excuse not to these days as it is widely available. One slight problem is in upgrading old systems that used MD5 though - as it is one-way, you'd either have to run SHA over the top of MD5 or ask users to enter new passwords again.

To be frank, I don't know why people always jump on the encryption used to store passwords as the main point of contention in these server attacks. The servers shouldn't be being breached in the first place and it is becoming way too common. How the passwords are encrypted is only relevant once the data has already been stolen and at that point they often have other useful information that is encryption free.

yowanvista said,
Why were those retards still using MD5 in the first place? Can't they just use SHA-2?

You don't just go in and change a password storage method and break compatibility/create enter-your-password-again mess for millions of people.

Fourjays said,
For the purposes of obscuring a password, MD5 can offer some security. Just not in untouched form. If you add a salt to each password stored, then any attempt to crack the passwords retrieved using an MD5 comparison would require you to regenerate the comparison list on each password, assuming you have the salts as well (which should be stored in a different database). Ideally you would use a more secure method of one-way encryption though, and there is little excuse not to these days as it is widely available. One slight problem is in upgrading old systems that used MD5 though - as it is one-way, you'd either have to run SHA over the top of MD5 or ask users to enter new passwords again.

To be frank, I don't know why people always jump on the encryption used to store passwords as the main point of contention in these server attacks. The servers shouldn't be being breached in the first place and it is becoming way too common. How the passwords are encrypted is only relevant once the data has already been stolen and at that point they often have other useful information that is encryption free.


It is md5'd 3 times with 1 common salt and 1 user specific salt.

That's the thing. Once they have access, nothing else matters much.

The_Decryptor said,
That just explains why MD5 is crap. As crap as PHP is you can still write secure stuff using it.

If PHP's so crap, why are you on a site powered by PHP? Why does MS use wordpress (coded in PHP)?

WinRT said,
Please tell me, where MS use wordpress?

Hmm, I'd like to know this too. I thought everything Microsoft is done all in there own ASP.NET

Demz said,
read tyhis why any php boards are crap

You can write crap in any language, bad programmers are bad regardless.

WinRT said,
Please tell me, where MS use wordpress?

If I recall they used it for a while with the Live Spaces blogging stuff before that got shut down, probably because of user familiarity with the brand. But yea, Microsoft typically goes with ASP.NET for their sites.

Max Norris said,

If I recall they used it for a while with the Live Spaces blogging stuff before that got shut down, probably because of user familiarity with the brand. But yea, Microsoft typically goes with ASP.NET for their sites.

I *think* what happened was that, when Live Spaces shut down, they migrated all their blogs to Wordpress and suggested people start using them there

Ok looks like they used wordpress in unknown and low traffic websites lol... but as everyone knows, MS uses ASP.NET in all of their major services, including Bing (the front end obiously!)

Demz said,
read tyhis why any php boards are crap https://news.ycombinator.com/item?id=6076381

It's not PHP as such, it is the lackbuster admins that don't keep it up to date. In fact a few days ago 5.3.27 was released to fix yet more vulnerabilties in 5.3.26. The problem with PHP is that updating it quite regularly breaks things, so may hosters refrain from updating it. The 5.4 branch is the cutting edge, but also breaks quite a few things.

Wonder if this is yet another one of these breaches that appears to happen via a hard-to-track hard-to-fix attack via Apache. Could also be the common "not-updating software" problem, but I'd expect the Ubuntu guys of all people to update regularly.

Quite frankly no web server is safe these days. Not a week goes by where somebody doesn't get their server hacked. Why I won't trust anything serious to the cloud. Only a matter of time before one of them gets attacked as well.

Just as likely you get a trojan or virus etc and someone steals your data. Put it simply, your data is probably more secure on a MS server (skydrive) then on your hard drive at home.

Nothing is totally safe anymore. It (a particular website) might be at the moment, but it's just a matter of time before some one hacks into any place, if they so desire.

djpailo said,
Just as likely you get a trojan or virus etc and someone steals your data. Put it simply, your data is probably more secure on a MS server (skydrive) then on your hard drive at home.

I don't think I could go that far as to trust skydrive more than my own hard drive!

djpailo said,
Just as likely you get a trojan or virus etc and someone steals your data. Put it simply, your data is probably more secure on a MS server (skydrive) then on your hard drive at home.

A good anti virus and common sense can prevent somebody accessing my computer via a virus or trojan. But hackers will get into a cloud provider sooner or later. To be fair, they could probably access my computer directly as well if they wanted to, but is a lot easier and more profitable for a hacker to target a cloud provider and get access to millions of people's data all in one go.

djpailo said,
Put it simply, your data is probably more secure on a MS server (skydrive) then on your hard drive at home.

data is more secure on a remote server hosted by a company know for giving info to a security agency at will? seriously?

Praetor said,

data is more secure on a remote server hosted by a company know for giving info to a security agency at will? seriously?
Especially combined with the fact that my computer is behind a firewall, and the only way to access it is if I mistakenly download a trojan. that installs silently, and can't be detected.

Fourjays said,

A good anti virus and common sense can prevent somebody accessing my computer via a virus or trojan. But hackers will get into a cloud provider sooner or later. To be fair, they could probably access my computer directly as well if they wanted to, but is a lot easier and more profitable for a hacker to target a cloud provider and get access to millions of people's data all in one go.

You're assuming every hacker will let you know that they've been in the cloud provider's servers or indeed your own computer. This hack on the ubuntu's forums is only public because the hacker let them know about it.

A lot of the time the exploits used to gain access have been there for a long time. You can look at common products, with a great example being Internet Explorer. Even recent exploits disclosed affect IE as far back as version 6... These security lapse in the code have been there for a long long time, and maybe only known to a few elite hackers who prefer to use them for their own tasks before someone more forgiving comes along and finds the same security hole, and discloses it.

Sometimes, particularly with 0-day exploits, it's a race against time between the hackers and the admin's to hack or patch the systems. The problem for most companies is rather then employing some security hacker with lots of underground exploitation experience, the company hires someone who's got a degree in computer science and a few Microsoft and cisco certificates and boosts on his CV that he's never had a security breach in any of the companies he's worked for.Reality is, he's probably just not noticed the breach...

That, unfortunately is the world we're already living in.

Praetor said,

data is more secure on a remote server hosted by a company know for giving info to a security agency at will? seriously?

Known ? Based upon what exactly ? Do you have any evidence suggesting Microsoft gives data at will to the NSA ? Right you don't as there is no evidence, all they did is waht any American company is obliged to do due to the law of the land.

sjaak327 said,

Known ? Based upon what exactly ? Do you have any evidence suggesting Microsoft gives data at will to the NSA ? Right you don't as there is no evidence, all they did is waht any American company is obliged to do due to the law of the land.


They are actually fighting the hardest (media wise) to get the government to allow MS to publicize the statistics.

sjaak327 said,

Known ? Based upon what exactly ? Do you have any evidence suggesting Microsoft gives data at will to the NSA ? Right you don't as there is no evidence, all they did is waht any American company is obliged to do due to the law of the land.

They actively look through your files stored on their skydrive server and will suspend your account if they deem anything questionable. If that alone doesn't tell you Microsoft have open access (and so will anyone else who has access to their systems), then I don't know what will.

But if it's not a hacker in the system, but rather NSA with granted access, recent remarks that Microsoft have made, and even asked in court, regarding disclosing all government requests for access to it's systems has to tell you that they're doing it and, sure enough, aren't telling people for what ever reason.

sagum said,

They actively look through your files stored on their skydrive server and will suspend your account if they deem anything questionable. If that alone doesn't tell you Microsoft have open access (and so will anyone else who has access to their systems), then I don't know what will.

But if it's not a hacker in the system, but rather NSA with granted access, recent remarks that Microsoft have made, and even asked in court, regarding disclosing all government requests for access to it's systems has to tell you that they're doing it and, sure enough, aren't telling people for what ever reason.

Of course Microsoft has access to whatever one puts on Skydrive. And of course Microsoft is obliged (by law) to provide access to data if requested by the US government. There is however no evidence Microsoft provides any government agency with data when not requested, nor is there any evidence NSA technicians can simply access the data.

Apple and Google of course need to also comply with these laws (as any cloud provider based in the US would). At least with Apple and Microsoft your data isn't sold to the highest bidder, Google of course does, as that's exacly how they make money in the first place.

Shadowzz said,

They are actually fighting the hardest (media wise) to get the government to allow MS to publicize the statistics.

And they should, after all it would be needed in name of transparancy.

sjaak327 said,

[...] At least with Apple and Microsoft your data isn't sold to the highest bidder, Google of course does, as that's exacly how they make money in the first place.


Geez. Google never sells information about you to third parties. Never has, and hopefully never will. They target the ads.

fobban said,

Geez. Google never sells information about you to third parties. Never has, and hopefully never will. They target the ads.

Of course they do, they are a dataminer, read their TOS.

please read: http://www.guardian.co.uk/worl...nsa-collaboration-user-data

"Blanket orders from the secret surveillance court allow these communications to be collected without an individual warrant if the NSA operative has a 51% belief that the target is not a US citizen and is not on US soil at the time. "

So it's like flipping a coin..plus 1%

also if this story were false Microsoft would be the first to say so and to sue the newspaper; not only that didn't happened but it's clearly in damage-control mode, since this damages it's image; after all they are one of the biggest cloud, data and voip providers in the world.

sjaak327 said,

Of course they do, they are a dataminer, read their TOS.


They do state that they won't sell the information. Perhaps YOU should read their TOS.

Btw, please link to the section you refer to.

Yeah, besides recently my college was asked to purchase authentic Windows and Photoshop lisences. All they did was completely remove Windows on all (close to 5000) PCs and install Ubuntu on all of them! They say "Open source is the future!" LOL