Forum compromise impacts 400,000 AVAST users

Users of the AVAST support forums will need to reset passwords after migration

Hackers

Vince Steckler, the CEO of AVAST software – one of the Web's most popular free anti-Virus programs, announced a breach over the holiday weekend, which impacts nearly 400,000 users.

The breach occurred on support forums for AVAST users, and exposed usernames, nicknames, email addresses, and hashed passwords.

The forums are community driven, and enable support for AVAST products, as well as other related information including data on malware and scams.

"Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work," Steckler's notification explained.

According to a cashed copy of the website, there were 355,505 members registered on the forum.

In his statement, Steckler said the breach impacted less than 0.2 percent of the company's 200 million users. Thus, the actual impact includes each registered account.

While the company didn't share many details about the breach, claiming that the cause itself was unknown, the forums were running an outdated version of SMF (Simple Machines Forum) at the time they were taken down.

So it is possible that the root cause is related to a previously patched vulnerability. Salted Hash has requested additional details, and will update this post if they're made available.

"We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure. This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known. However, we do believe that the attack just occurred and we detected it essentially immediately."

Update:

AVAST, when asked why an old version of SMF was being used, and if the attacker used a known vulnerability, shared the following:

"The forum was running SMF version 2.0.6. The latest version is SMF 2.0.7 but according to the SMF change log (and the announcements on the SMF web site) there were no security-related updates included in this version. The vulnerability was not known to us. It is not clear whether the attack was conducted via a 0-day vulnerability or a hole that was silently fixed in v2.0.7 but never announced."

When asked about the number of accounts impacted, or rather how many of the registered accounts on the forum were actually active on a somewhat regular basis, AVAST said:

"There are 75,000 accounts that logged in after January 1, 2013 and 30,018 of these users posted at least once in this period."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.