Every username, password and email address used by members of the Ubuntu Forums was accessed in a breach reported on Saturday by the free Linux distribution.
More than 1.82 million accounts stored in the forums’ database were stolen, according to a notice posted on the forums’ home page Saturday night.
A tweet from the hacker claiming responsibility for the break-in said Ubuntu Forum users have no reason to worry.
“Yes, they were encrypted. Encrypted with the default vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be the strongest, when you’re dealing with 1.8m users it would take a very long time to get anywhere with the hashes,” the tweet said. “You don’t have to worry about a DB leak. That isn’t how I like to do things.”
The site was defaced before it was taken down at 2015 UTC; the home page was replaced with a logo of a penguin wielding an assault rifle. Ubuntu is considered the most popular endpoint Linux distribution.
The forums remained offline Monday morning. Email requests for an update and further details to Canonical, the UK-based software company that backs the distribution, went unanswered.
“We have confirmed the attackers were able to access all user email addresses and hashed passwords on the Forums site. While the passwords were not stored in plain text, good practice dictates that users should assume the passwords have been accessed and change them,” said Canonical CEO Jane Silber on the company’s blog. “If users used the same password on other services they should immediately change that password.”
Silber said the issue is contained to the Ubuntu Forums, and that no other Ubuntu or Canonical site, such as Ubuntu One, Launchpad or other services, was hacked. In addition, users whose information was compromised should expect an email from Canonical with further details.
“We are continuing to investigate exactly how the attackers were able to gain access and are working with the software providers to address that issue,” Silber said. “Once the investigation is concluded, we will provide as much detail as we safely can.”
The passwords, the Ubuntu notice said, were hashed and salted. Ars Technica reported yesterday that Ubuntu uses MD5 to hash passwords as per vBulletin, the software upon which the forums are built. MD5 has been considered broken for a number of years; in 2008 CERT posted an alert that the algorithm was vulnerable to collision attacks; other weaknesses were described years before that.
“Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity,” said CERT five years ago. “As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.”
Salting, which is the addition of random characters to a password before it’s hashed, adds to the complexity of cracking a password hash and reduces the effectiveness of dictionary attacks, for example.
Meanwhile, in October, NIST announced it had picked a winner of a five-year-long competition to develop a new SHA-3 algorithm to take its place as the new NIST standard.
Image courtesy Paul Schultz.
Updated on July 23 with information about the hacker’s tweet.
