Over the last two decades, a raft of instant messenger services have come and gone. Frustratingly, instant message services never completely solved the issue of bridging communication with users on other services. Case in point, MSN Messenger was repeatedly blocked by AOL after Microsoft's attempts to bridge the divide before giving up.
This situation gave rise to multi-protocol messenger clients, such as Trillian released back in 2000, to make it easier for users to simultaneously connect to numerous services with a single client. Trillian went on to become one of the most popular multi-protocol messenger solutions available alongside Pidgin, the instant messaging client formerly known as Gaim.
Unfortunately, Trillian's blog and forums were involved in a security breach earlier this week. A single server, running both WordPress and vBulletin, was targeted by the attack with a vulnerability specific to vBulletin used to gain access to both application databases.
Data exfiltrated from these databases include salted MD5 hashed passwords. In a help article regarding the incident, Cerulean Studios stated that:
Because both of these services had already been deprecated and were only kept online for archival purposes, most of the data was anywhere from 3 to 14 years old. The resulting likelihood of the data being useful to an attacker is therefore much lower unless you've used the same password for many years across multiple sites.
Only those who had signed up to participate on Trillian's blog or forums should be concerned. The company was quick to add that actual Trillian passwords, accounts data, messaging data or billing information were not compromised by the attack, as the affected server had been isolated from the rest of their network.
Unsurprisingly, Cerulean Studios has encouraged users who have reused the same credentials, either with the Trillian client or elsewhere on the internet, to change their password as soon as possible. The company has also recommended the use of a password manager to help users maintain unique credentials for each website.
Both the Trillian blog and forums have been taken offline permanently after the shared sever was shut down yesterday.