Andre Yoskowitz
14 Nov 2013 18:50
The Mac and iOS-based news site MacRumors confirmed this week that their forums were attacked by hackers, with 860,000 usernames and passwords being stolen.
Fortunately, the hacker says he will not leak any of the passwords stolen, but MacRumors has still begged users to change their password on the site and on other sites where they might have used the same pass and username combo.
"We're not terrorists," says the attacker, who goes by "lol." "Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."
The hacker accessed a moderator account for the vBulletin software that runs the site, then escalated their access privileges, eventually dumping a database containing all the usernames, email addresses and passwords. The passwords were md5 hashed and salted, which means they will be cracked within days if not sooner. MacRumors was upfront with their users and confirmed that hash/salt is not secure and reported the breach within hours of it occurring, unlike major corporations, many of which have waited days following attacks to say anything.
"Consider the 'malicious' attack friendly," added "lol." "The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public." When asked why he didn't just alert the administrators to the flaw, lol responded by saying that "outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc."