The hacker behind Monday’s breach of an Apple-related rumor and news website has promised to not leak any of the 860,000 passwords he stole.
But the hacker — known as “lol” — said that any users who’d reused the same password on other sites had only themselves to blame. “We’re not terrorists,” he said. “Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”
The MacRumors website disclosed the breach Tuesday, saying that an attacker accessed a moderator account for the vBulletin software — sold by Internet Brands — that runs its online forums, then managed to escalate their access privileges, and dump a database containing usernames, email addresses and passwords, which were hashed and salted. The site recommended that all users immediately change their password for MacRumors, as well as any other site for which they’d used the same password.
“We sincerely apologize for the intrusion, and are still investigating the attack with the help of a third-party security researcher,” said “MacRumors god” Arn Kim. “We believe that at least some user information was obtained during the attack,” including passwords, he added. “They are vBulletin’s standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.”
In a series of MacRumors forum posts, Lol confirmed Wednesday that he’d dumped the forum database and obtained usernames, email addresses, and salted and hashed passwords for 860,106 users. As proof that he was behind the hack, lol also published the first 16 bits of Kim’s old password hash, as well as the salt used for the password. But lol promised not to leak or even crack the passwords, or use the information to hack into people’s Gmail, Apple, Yahoo or other accounts, “unless we target you specifically for some unrelated reason.
A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:
4.X – /install/
5.X – /core/install
After deleting these directories your sites can not be affected by the issues that we’re currently investigating.
vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.
I now have a new server. A Virtual Dedicated Server to be accurate.
It’s been commissioned awaiting the migration of all my hosted sites from the existing server to the new VDS.
I’m really looking forward to seeing the 4 core processor in action as one of my personal sites, yellowandblack.com.au has been experiencing some issues of late. Here’s hoping that the server upgrade will fix that.
In addition to the server upgrade, I’m currently testing a replacement for the XenForo forum software that yellowandblack.com.au currently runs. I’ve created some test migrations of the site to IP.Board and vBulletin so I can evaluate their suitability. At present, I favour a move back to vBulletin which the site used for several years.
I would like to announce that version 4.1 of vBulletin Publishing Suite and vBulletin Forum is now available. If you have an active vBulletin license, you can download your copy of 4.1 from the vBulletin Members Area at: http://members.vbulletin.com
Two items that we had envisaged to make available as 4.1
- Updated Editor – to enable WYSIWYG editing in Webkit browsers (Chrome/Safari)
- “Flexible URL Mapping”
Are not included in this release. Due to both the editor, and the flexible URL mapping affecting all aspects of our product, development and QA has taken a longer period of time than we had initially envisaged, and we are not sufficiently satisfied with the level of quality of either item to release them as features in their current state. Both items will be made available in future releases. We apologize in advance for any inconvenience this may cause.