MacRumors forum hacked and nearly a million accounts compromised, but hacker won't share

MacRumors forum hacked and nearly a million accounts compromised, but hacker won't share
The Mac and iOS-based news site MacRumors confirmed this week that their forums were attacked by hackers, with 860,000 usernames and passwords being stolen.

Fortunately, the hacker says he will not leak any of the passwords stolen, but MacRumors has still begged users to change their password on the site and on other sites where they might have used the same pass and username combo.



"We're not terrorists," says the attacker, who goes by "lol." "Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."

The hacker accessed a moderator account for the vBulletin software that runs the site, then escalated their access privileges, eventually dumping a database containing all the usernames, email addresses and passwords. The passwords were md5 hashed and salted, which means they will be cracked within days if not sooner. MacRumors was upfront with their users and confirmed that hash/salt is not secure and reported the breach within hours of it occurring, unlike major corporations, many of which have waited days following attacks to say anything.

"Consider the 'malicious' attack friendly," added "lol." "The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public." When asked why he didn't just alert the administrators to the flaw, lol responded by saying that "outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc."

Written by: Andre Yoskowitz @ 14 Nov 2013 18:50
Tags
hacked MacRumors
Advertisement - News comments available below the ad
  • 5 comments

  • Menion

    "Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."

    Funny how criminals are "Never" responsible for their malicious actions, its always someone else's fault.

    15.11.2013 00:29 #1

  • stardata

    We here in Ireland have just had a major one as well...

    More than 1.5 million people are now known to have had personal information compromised by a major security breach at a Co Clare-Ireland based company which manages customer loyalty schemes across Europe.

    A Garda (Irish police) investigation has been launched into what is fast becoming one of the worst data breaches in the history of the State.

    15.11.2013 11:34 #2

  • Bozobub

    I'd translate the hacker's comment more as, "Stop worrying, so we have more time to try to access other accounts you may have, that use the same login" ^^' .

    15.11.2013 13:58 #3

  • stardata

    Some white hat hackers/crackers will do this to put the frighteners to businesses just to make them aware of their security flaws, but time will tell whether this one is such an example.

    http://www.youtube.com/watch?v=6xkDNvuIvSQ

    15.11.2013 14:52 #4

  • swog

    When asked why he didn't just alert the administrators to the flaw, lol responded.... because if he had done so do you think they would have acted in such a quick manner to make it known, if at all.
    We saw in UK with 'Pleb Gate & 'NOTW' phone hacking that even when faced with the evidence/truth Organisations, people will go to any lengths to cover it up.
    We're all able to take action now on Forums run by the same SW who'd have been oblivious to the problem but for lol going public.

    16.11.2013 02:03 #5

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud