MacRumors forums breach exposes 860,000 accounts

A popular Mac news website, MacRumors, reported that their forums were compromised on Tuesday. The attack led to the exposure of some 860,000 accounts, and is said to be similar to the one that took place on the Ubuntu forums earlier this summer.

[Stolen Adobe account data goes public, Photoshop source code breached]

In a statement to users, Arnold Kim, the Editorial Director for MacRumors.com, said that the breach appeared to be similar to the one that happened on the Ubuntu Forums in late July. However, he explained, administrators detected the breach as it was happening.

“Yesterday, we were hacked. We detected it relatively quickly, but are still going through the logs with a 3rd party security company,” Kim said in a statement.

“We restored the forum from backups from before the incident. I’ll fill you in more as we get more information back, as it’s still early. But it’s safest to assume at least part of the user table was taken, which means usernames, email addresses, and hashed passwords.”

As mentioned, the MacRumors breach appears to be similar to the one suffered by the Ubuntu forums in late July. In both cases, an attacker compromised a moderator’s account, and used that access to gain additional permissions, allowing them to target the user table. What isn’t known, or at least what wasn’t made public by MacRumors, is how the privilege elevation happened in their situation.

During the Ubuntu incident, the attacker used Cross-Site Scripting (XSS) in order to gain access to an administrators account. They were able to do so by using the compromised moderator credentials to create an announcement with embedded XSS code, and steal an administrator’s credentials. As an administrator, the attacker was able to use the hook feature available to administrators in vBulletin (the forum platform used by Ubuntu and MacRumors) to execute PHP code, which finalized the attack.

“The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the user table to a file on disk which they then downloaded,” Canonical explained at the time.

[The 15 worst data security breaches of the 21st Century]

Again, MacRumors hasn’t disclosed the full details of their particular incident, but even if the attack they suffered happened exactly the same way the Ubuntu attack did, nothing changes for the users.

“In situations like this, it’s best to assume that your MacRumors Forum username, email address and (hashed) password is now known,” an announcement on the forum explained.

In the breach announcement, MacRumors encouraged users within the community to change their passwords, especially if they were recycled and used on other websites. Based on some of the comments left on the MacRumors forum, this is solid advice, as many of them admit to reusing their passwords for other services, including Apple IDs. In order to keep password reuse to a minimum, MacRumors has recommended the use of password managers and such as 1Password or iCloud keychain.

Email notifications are pending, and additional details on the breach are expected as clean-up is completed. Updated information will be posted to the MacRumors website, and the security thread on the forums.