The guys who write the phpBB forum software have had their main website hacked. The whole process looked pretty sophisticated and the hacker had access for a couple of weeks (increasingly deep access during that time). The bottom line is that they have posted all the e-mail addresses, user ID’s and hashed passwords for every account registered on phpbb.com.
In fact, they went one further and just dumped the entire mysql database, and made it available, so it’s got all the fields of information used to register accounts.
Now the passwords are md5 hashes, rather than plain text, however phpBB v2 used a straight md5 hash which is easy to brute force. phpBB v3 salts the hash first, and so is harder to brute force. If you created an account on phpBB while it was running v2 and then never logged in again after it upgraded to v3 then lots of people you don’t want having access are currently trying to brute force your password. If you had a simple password, they’ve already done it, and in fact, they broke about 18,000 passwords pretty quickly (all the obvious ones).
Robert Graham has done some basic analysis of the passwords over in this article. He’s also posted a link to the blogger site which details the hack, which is still there at the moment, although none of the links from that site to the resulting files he published work. The phpbb.com site is down for maintenance until they make sure it’s safe and that nothing else was changed.
The hack was carried out using a 0-day exploit of PHPlist, a mail manager application, and not directly related to the phpBB software itself. The hacker had access for a couple of weeks, and the patches to PHPlist were released after he gained access, so patching as soon as they could wouldn’t have helped the phpBB guys. What would have helped, was not upgrading to the latest version of PHPlist straight away – a possible good argument for running at least one level back from the latest level of any software (excluding security patches, of course). Those two requirements probably conflict too often for it to be perfect advice.
I had an account on phpbb.com so I spent a few hours last night checking what user credentials I’d used and making sure I wasn’t using the same combination anywhere else. I think I had a reaonably strong password, it’s never a word in the dictionary, it’s not even a word in the dictionary with some letters replaced by numbers, so it can only be brute forced by using random combinations of characters. However, computational power is cheap and getting cheaper, so any password that can be brute forced will eventually be brute forced. I’m not sure if I logged in to phpbb.com after they moved to v3, but I suspect I did so my password was probably salted as well. However, I didn’t take any chances and I changed my passwords on a bunch of services last night.
Does this hack teach us anything? No, not really, but it reminds us of some stuff we should have already known. Try not to use the same user id / password combination more than once, and certainly keep stuff you care about (like online banking credentials) totally different to stuff you don’t care about (like message boards you’re going to use once).
The article analysing the passwords reminds us that picking clever passwords is harder than you first think, because with millions of other computer users around the world doing the same thing, passwords can still be very common. Picking trustno1 (Mulder’s password from X-Files) won’t help you when your hackers are X-Files fans, and joshua isn’t as clever as you imagined when you find out half the hackers in the world watched WarGames as well. I’m not sure the list on this site is really the top 500 passwords, but it’s a good example of 500 pretty weak passwords, because if they’re that easy to think up, they’re already in a brute force dictionary somewhere.
If you can create your own md5 hashes (various methods depending on your OS) then you can do a simple check to see if the password might be weak. Search for it on google. For example, the md5 hash for password is 5f4dcc3b5aa765d61d8327deb882cf99, now check out google and see how many hits you get for it. If someone used password as their password on phpbb.com then the hackers knew it in about 2 seconds. And making the o’s into zeros won’t help you. You don’t even need to be a hacker to go from unsalted md5 hashes to passwords, there are several websites out there, easily found in google, where you put in md5 hashes and they tell you the string used to create that md5 hash.
Take care with your accounts and your passwords, keep them out of the dictionary.