Announcement

Collapse
No announcement yet.

Ubuntu Forums hacked

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 4
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 template Next
    #1

    Ubuntu Forums hacked

    The Ubuntu Forums experienced a security breach within the last 24 hours. Apparently usernames, passwords, and email addresses were stolen. From the site:

    There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly with progress reports.
    What we know
    Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.
    The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
    Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.
    Ive changed my email password just in case. It might be wise for others to do the same.
    Tags: None
    • Top
    • Bottom
    #2
    Not a good thing!
    Windows no longer obstructs my view.
    Using Kubuntu Linux since March 23, 2007.
    "It is a capital mistake to theorize before one has data." - Sherlock Holmes
    • Top
    • Bottom

    Comment

      #3
      Worth noting that Ubuntuforums uses vBulletin, same as here at KFN, and that vBulletin encrypts passwords with "a double MD5 hash with a salt". (Source: http://www.vbulletin.com/forum/forum...rds-protection )

      something like md5(md5(password)salt)
      From what I've read elsewhere, MD5 is considered to be pretty weak sauce when it comes to protecting passwords.

      @whatthefunk: You used the same password on your email account as you used on your Ubuntuforums account?? If you didn't, then there was no real need to change your email password.
      sigpic
      "Let us think the unthinkable, let us do the undoable, let us prepare to grapple with the ineffable itself, and see if we may not eff it after all."
      -- Douglas Adams
      • Top
      • Bottom

      Comment

        #4
        Thanks for posting this, I rarely check the ubuntu page and would have missed it.
        • Top
        • Bottom

        Comment

          #5
          Originally posted by HalationEffect View Post
          @whatthefunk: You used the same password on your email account as you used on your Ubuntuforums account?? If you didn't, then there was no real need to change your email password.
          I dont actually remember. I registered at the Ubuntu Forums years ago when I was just getting into linux and was still stupid about internet use. Ever since then, my browers have remembered it. Theres a good chance that its the same as my email one because I used to use one password for everything So just to be safe, I changed all my passwords.
          • Top
          • Bottom

          Comment

            #6
            Originally posted by whatthefunk View Post
            I dont actually remember. I registered at the Ubuntu Forums years ago when I was just getting into linux and was still stupid about internet use. Ever since then, my browers have remembered it. Theres a good chance that its the same as my email one because I used to use one password for everything So just to be safe, I changed all my passwords.
            Yeah, I used to be much the same, using a handful of passwords (with minor variations) for all my online accounts. Then I read a couple of articles about offline cracking, and after that opened my eyes I started using KeePassX to generate & remember unique, high-entropy passwords for all important accounts (email, banking, etc). I don't much care how secure my various forum passwords are, because if they get compromised it's no big deal.
            sigpic
            "Let us think the unthinkable, let us do the undoable, let us prepare to grapple with the ineffable itself, and see if we may not eff it after all."
            -- Douglas Adams
            • Top
            • Bottom

            Comment

              #7
              I rarely go there and what are they going to do, post some ugliness under my 'webmail' based account and get me banned? Oh well. But thanks for the warning though. Here is an idea, after a security breach such as this, they should present the returning user with the option to immediately change their password and/or email before re-entering the site, just sayin' again, lol.

              Edit: Several of you make good points about similar/same passwords for various sites, NOW I am a little concerned, *swallows foot whole*. =[
              Last edited by tek_heretik; Jul 21, 2013, 05:33 AM.
              • Top
              • Bottom

              Comment

                #8
                I am also guilty of using the same password on different sites, but in the case of ubuntuforums my password is a unique one, so I guess I am OK.
                • Top
                • Bottom

                Comment

                  #9
                  As for my passwords, I utilize a 'pattern' approach but that is unique for each site. My password for Ubuntuforums was unique, so I'm not (overly) worried. That UF permitted (there is no other way to say it) it's member information database to be compromised is simply unforgivable. Such an incident might be expected, even anticipated (in time) of a non-Linux enterprise, but not a Linux driven one. The only 'good' thing that I see coming out of this fiasco is that Ubuntuforums will return with a much securer site.
                  Windows no longer obstructs my view.
                  Using Kubuntu Linux since March 23, 2007.
                  "It is a capital mistake to theorize before one has data." - Sherlock Holmes
                  • Top
                  • Bottom

                  Comment

                    #10
                    Can I assume the Ubuntu and Kubunto are separate? (Have separate passwords.)
                    • Top
                    • Bottom

                    Comment

                      #11
                      Originally posted by wmrobins View Post
                      Can I assume the Ubuntu and Kubunto are separate? (Have separate passwords.)
                      Yes. The Kubuntu Forums are privately owned and operated. See the very foot of this page.


                      Edit: The official announcement has now been posted - http://blog.canonical.com/2013/07/21...u-forums-site/.
                      Last edited by Guest; Jul 21, 2013, 01:22 PM. Reason: Added link to the official announcement
                      • Top
                      • Bottom

                      Comment

                        #12
                        I had to open roboform to see if I had an account with ubuntu forums. Usually, I only get into the forums from a google search. Apparently, at some point, I thought it was a good idea to have an account there.

                        I guess once they get back online, I'll generate a new password and change it....
                        I do not personally use Kubuntu, but I'm the tech support for my daughter who does.
                        • Top
                        • Bottom

                        Comment

                          #13
                          Originally posted by HalationEffect View Post
                          Worth noting that Ubuntuforums uses vBulletin, same as here at KFN, and that vBulletin encrypts passwords with "a double MD5 hash with a salt".
                          MD5 is weak, is known to produce collisions, and withers under contemporary GPU-based attacks. vBulletin's function:

                          Code:
                          md5( concat( md5('{$_POST['fpassword']}'), salt))
                          is only marginally better than md5crypt (another salting mechansim); both are crap.

                          ==========

                          NOTE

                          There's been a lot of speculation on the Internet as to the cause of the attack. Very little is known right now, but my suspicion is that the attacker found a vulnerability in vBulletin rather than in the underlying operating system. I am offering nothing more than an educated guess myself. Until we learn more details, there's very little we can do. Once we understand the details, we'll act very quickly to implement necessary security remedies.
                          • Top
                          • Bottom

                          Comment

                            #14
                            OK so what this means is, posts that appear to be from me might actually be from an imposter .... OH, WTF, who actually cares?

                            ;-)

                            Looks like a giant "nothingburger" from here.
                            Last edited by dibl; Jul 21, 2013, 06:55 PM.
                            • Top
                            • Bottom

                            Comment

                              #15
                              Originally posted by dibl View Post
                              Looks like a giant "nothingburger" from here.
                              Like these? Being from Dayton, Don, you'll know

                              • Top
                              • Bottom

                              Comment

                              Previous 1 2 3 4 template Next
                              Working...
                              X