The hacker behind Monday’s breach of an Apple-related rumor and news website has promised to not leak any of the 860,000 passwords he stole.
But the hacker — known as “lol” — said that any users who’d reused the same password on other sites had only themselves to blame. “We’re not terrorists,” he said. “Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”
The MacRumors website disclosed the breach Tuesday, saying that an attacker accessed a moderator account for the vBulletin software — sold by Internet Brands — that runs its online forums, then managed to escalate their access privileges, and dump a database containing usernames, email addresses and passwords, which were hashed and salted. The site recommended that all users immediately change their password for MacRumors, as well as any other site for which they’d used the same password.
“We sincerely apologize for the intrusion, and are still investigating the attack with the help of a third-party security researcher,” said “MacRumors god” Arn Kim. “We believe that at least some user information was obtained during the attack,” including passwords, he added. “They are vBulletin’s standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.”
In a series of MacRumors forum posts, Lol confirmed Wednesday that he’d dumped the forum database and obtained usernames, email addresses, and salted and hashed passwords for 860,106 users. As proof that he was behind the hack, lol also published the first 16 bits of Kim’s old password hash, as well as the salt used for the password. But lol promised not to leak or even crack the passwords, or use the information to hack into people’s Gmail, Apple, Yahoo or other accounts, “unless we target you specifically for some unrelated reason.