Jump to content

Ubuntu Forums hacked

securitybreach

By securitybreach
in Security & Networking

 Share

Recommended Posts

securitybreach

securitybreach

Posted
Posted

There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly with progress reports.

 

What we know

  • Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.
  • The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
  • Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.

http://ubuntuforums.org/announce.html

 

1.82M logins, email addresses stolen

http://www.zdnet.com/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen-7000018336/

Link to comment
Share on other sites
Corrine

Corrine

Posted
Posted

Ubuntu Forums hacked, 1.8 million passwords and emails stolen

 

Canonical, the lead developers of the Ubuntu Linux-based operating system, have admitted that its online forums were not just defaced this weekend, but also that hackers managed to steal every users’ email address, password and username from the Ubuntu Forums database.

 

Apparently every member's username, password and e-mail were obtained. Hopefully, everyone here knows enough to use a different password everywhere. Even so, the obvious advice: change your email password ASAP!

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Good thing the hashes were not in the clear, but they were not totally clear whether they were hashed and salted.

 

From this link on ITWorld:

 

Hashing is using an cryptographic algorithm to convert data like a password into a fixed length sting of characters called a fingerprint.

Salting is a way to randomize hashes by adding a random string (which is called a salt) before a password is hashed, which makes it much more difficult to crack the password hash.

This page explains it more thoroughly: http://crackstation.net/hashing-security.htm

 

Thankfully many of us use unique passwords everywhere.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

I merged the two topics about the Ubuntu forums hack in Security and Networking.

Edited by LilBambi
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Yes, that second link is interesting...especially the part about resetting their passwords noted in the article at the hacker news.

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted
Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.

 

Hmm... guess I'll be getting some SPAM, huh?

  • Like 2
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Fortunately, I beleive that I used my inbox.com email account for the Ubuntu forums, as I do for all techie forums and newsletters. I use different email accounts for different purposes. This allows me to do things like totally white listing an account, as I have with inbox.com. ONLY emails from forums/newsletter servers on my account reach my inbox, so SPAM has a hard time getting through. They'd have to spoof one of the domains on my white list.

 

I actually worry more about them using my account on the Ubuntu forums for naughtiness. I will have to change the password as soon as Ubuntu allows me back in there. :yes:

Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted

Fortunately, I beleive that I used my inbox.com email account for the Ubuntu forums, as I do for all techie forums and newsletters. I use different email accounts for different purposes. This allows me to do things like totally white listing an account, as I have with inbox.com. ONLY emails from forums/newsletter servers on my account reach my inbox, so SPAM has a hard time getting through. They'd have to spoof one of the domains on my white list.

 

I actually worry more about them using my account on the Ubuntu forums for naughtiness. I will have to change the password as soon as Ubuntu allows me back in there. :yes:

I really don't care if they use my account at the Ubuntu forums for naughtiness.

I was banned at least once for asking a question and then asking the smarty-pants answerer for help in following their wonderful advice.

What was their advice, you ask?

RTFM!

I was so new to Linux/FOSS I had no idea what that was.

So I asked. Once I knew it was "Read The Fine Manual" o:) I had the nerve to ask how one does that in Linux.

Ban Hammer came down.

IMG_7175.JPG

After the second such incident, I never returned to the forum.

Hope the bad guys cause them all kinds of grief with my username and password.

They deserve what they get.

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Spoofing a domain in an email is a trivial matter..... :lol:

 

Adam

 

Oh, yeah? Bet you can't do it. ;)

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

That's odd, Bob. I never had any problems at the Ubuntu forums. Everyone was always nice and helpful to me. I guess you just attract that type of abuse. ;)

Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted (edited)

That's odd, Bob. I never had any problems at the Ubuntu forums. Everyone was always nice and helpful to me. I guess you just attract that type of abuse. ;)

Ubuntu forums were the only place it ever happened.

Of course, there is the fact that I was known to be a friend of Ken Starks (aka Helios) who was truly despised by the admins and mods there.

 

Could be a connection.

 

I don't even get any abuse at the Arch forums when I ask brain-dead questions.

Edited by amenditman
  • Like 1
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Now Arch was an altogether different experience for me. I wasn't impressed with their kindness and hospitality at all.

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
  • Author
Posted

Now Arch was an altogether different experience for me. I wasn't impressed with their kindness and hospitality at all.

 

You haven't been to my Archlinux Community on G+

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Hey! You told me your real name was Archie Winkelstein. Are you using a pseudonym at G+? UMMMAAA! I'm gonna' tell. ;)

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
  • Author
Posted

Hey! You told me your real name was Archie Winkelstein. Are you using a pseudonym at G+? UMMMAAA! I'm gonna' tell. ;)

 

Of course I am.... My real name does not exist online.

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Yes, it does. You should see some of the mugshots of people that have the same real name as you. ;)

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
  • Author
Posted

Yes, it does. You should see some of the mugshots of people that have the same real name as you. ;)

 

Right....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...