Avast takes community forum offline after data breach

Prague-based antivirus company Avast said Monday it took its community forum offline after a data breach, but payment information was not compromised.

Usernames and nicknames, email addresses and encrypted passwords were obtained in an attack over the weekend, wrote Avast CEO Vince Steckler on a company blog. The attack affected less than 400,000 of Avast’s 200 million users.

“We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you,” Steckler wrote.

How the forum was breached remains unknown, Steckler wrote. The leaked passwords were hashed, which means that hackers obtained cryptographic representations of passwords that have been run through an algorithm. For example, the password “Rover” run through the SHA-1 algorithm is “ac54ed2d6c6c938bb66c63c5d0282e9332eed72c.”

Steckler didn’t specify the algorithm Avast uses to hash passwords, but warned that “it could be possible for a sophisticated thief to derive many of the passwords.”

Converting those hashes into their original passwords is possible using decoding tools and powerful graphics processors. But the longer and more complicated the password — such as one with a mix of capital letters, numbers and symbols — the harder it is to crack.

People who reuse the same password from Avast’s forum on other sites are advised to change them immediately, he wrote. When the forum is back online, users will be prompted to change their passwords.

Steckler wrote the forum was hosted on an isolated, third-party platform for many years. Avast plans to rebuild the forum using a new software platform, which will be faster and more secure.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk