The hacker behind Monday’s breach of an Apple-related rumor and news website has promised to not leak any of the 860,000 passwords he stole.
But the hacker — known as “lol” — said that any users who’d reused the same password on other sites had only themselves to blame. “We’re not terrorists,” he said. “Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”
The MacRumors website disclosed the breach Tuesday, saying that an attacker accessed a moderator account for the vBulletin software — sold by Internet Brands — that runs its online forums, then managed to escalate their access privileges, and dump a database containing usernames, email addresses and passwords, which were hashed and salted. The site recommended that all users immediately change their password for MacRumors, as well as any other site for which they’d used the same password.
“We sincerely apologize for the intrusion, and are still investigating the attack with the help of a third-party security researcher,” said “MacRumors god” Arn Kim. “We believe that at least some user information was obtained during the attack,” including passwords, he added. “They are vBulletin’s standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.”
In a series of MacRumors forum posts, Lol confirmed Wednesday that he’d dumped the forum database and obtained usernames, email addresses, and salted and hashed passwords for 860,106 users. As proof that he was behind the hack, lol also published the first 16 bits of Kim’s old password hash, as well as the salt used for the password. But lol promised not to leak or even crack the passwords, or use the information to hack into people’s Gmail, Apple, Yahoo or other accounts, “unless we target you specifically for some unrelated reason.
A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:
4.X – /install/
5.X – /core/install
After deleting these directories your sites can not be affected by the issues that we’re currently investigating.
vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.
I now have a new server. A Virtual Dedicated Server to be accurate.
It’s been commissioned awaiting the migration of all my hosted sites from the existing server to the new VDS.
I’m really looking forward to seeing the 4 core processor in action as one of my personal sites, yellowandblack.com.au has been experiencing some issues of late. Here’s hoping that the server upgrade will fix that.
In addition to the server upgrade, I’m currently testing a replacement for the XenForo forum software that yellowandblack.com.au currently runs. I’ve created some test migrations of the site to IP.Board and vBulletin so I can evaluate their suitability. At present, I favour a move back to vBulletin which the site used for several years.
After some extensive research, I’ve now implemented the following software strategy starting with my own websites.
* Sites that require blog software will use WordPress
* Sites that require both a forum and a CMS will use WordPress bridged with SMF. This has been implemented on TRIM User Network
* Sites that become large and require more features than SMF will use the XenForo forum.
As I’ve posted previously, I performed a trial migration of the Yellow and Black website from Invision Power Board 3.1.4 to XenForo 1.0.4. This was a complete success and was completed in about an hour. Not bad for 360K + posts and 2600+ users! The resultant test site performs superbly. I’ve added the XenPorta portal which really makes the site look fantastic!
A screenshot of the homepage appears on the left.
My only issues are migrating the IPB Gallery to the new structure and whether to impose another software change on the site members a year after moving from vBulletin to IPB. Until I can migrate the Gallery, the latter isn’t a concern as the site will stay as is.
I’ve recently started using the Invision Power Board (IPB) IP.Content component on the Yellow and Black website. IP.Content is a CMS that integrates into the IP.Board software to enable the publication of articles and the creation of databases that can be used to display various data on the site.
Having tested it for a few months and now implemented it, I’m not sure if it’s what I want on the site. Much to my dismay, I’ve found that the database component isn’t a relational database. I had hoped to use it to drive the Yellow Sash Award on the website but this isn’t possible the way that the IP.Content databases have been written. I may have to learn some PHP and do everything directly from a MySQL database myself.
In any case, I’ve migrated a copy of the current database onto another server and have a working copy of the IPB site there. I’ve also converted this to run on vBulletin 4.1.3 and am in the process of migrating to XenForo 1.0.1. The end result will mean that a backup copy of the data from the production site will be able to run in my “lab” on 3 versions of software. I’m looking forward to testing them all to see which software performs the best.
At present, the current IPB installation is performing terribly slowly. I’m having difficulties migrating to vBulletin 4.1.3 as the post attachments are unable to be migrated without throwing an error. I’ve raised a ticket with the vBulletin support team but have yet to hear back from them after over a week. I purchased XenForo this morning and am currently migrating the IPB database over to run on this software. So far, (51.85% into the Thread and Post migration) everything has gone well. Fingers crossed that it migrates without any issues so I can give it a good test.
From what I’ve seen so far, XenForo is pretty responsive and easy to use. If XenForo continues to perform this well, I may seriously consider moving Yellow and Black to use this software in the future.
I’ll post my findings here when I can.
I’ve been thinking about another site for some time now. I already have a successful Football fan site – Yellow and Black and a moderately successful site dealing with another of my favourite subjects – the TRIM User Network.
Initially, I was looking for a site with which I could use my vBulletin 4.x license. I installed it and created The Aussie Forum; a site where just about anything goes! I needed somewhere where people could swap jokes, talk about their problems and desires, discuss sex, talk politics, and generally talk about anything they want to. The Aussie Forum is that place!
I’ve now replaced the vBulletin forum as it didn’t suit the needs of the site. Tonight, I’ve replaced it with the phpBB software. It’s their latest software – phpBB Version 3.08. In the next few days, I’ll add a Joomla CMS to the site to enhance the user experience.
I hope that you’ll call by and check out the site. I also hope that you’ll start a topic and or add your opinion to an existing one.
I would like to announce that version 4.1 of vBulletin Publishing Suite and vBulletin Forum is now available. If you have an active vBulletin license, you can download your copy of 4.1 from the vBulletin Members Area at: http://members.vbulletin.com
Two items that we had envisaged to make available as 4.1
- Updated Editor – to enable WYSIWYG editing in Webkit browsers (Chrome/Safari)
- “Flexible URL Mapping”
Are not included in this release. Due to both the editor, and the flexible URL mapping affecting all aspects of our product, development and QA has taken a longer period of time than we had initially envisaged, and we are not sufficiently satisfied with the level of quality of either item to release them as features in their current state. Both items will be made available in future releases. We apologize in advance for any inconvenience this may cause.