Ubuntu forums breached, 1.8m passwords pinched
Credentials were salted and hashed but resets recommended
Ubuntuforums.org, the Linux distribution's online community, has shut down for maintenance after a security breach.
It's not a pretty one: the site's operators say “Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.”
The good news is that “The passwords are not stored in plain text, they are stored as salted hashes.”
The second piece of bad news is that a quick trip to the site through the wayback machine produces a page stating the site has 1,824,159 members, of whom 19,493 are classified as “active”. That's a lot of users who may not be visiting the site often enough to know of the breach. Little wonder then that the announcement on the site recommends “if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.”
The site was taken down on Saturday evening, UK time, after being defaced earlier in the day. The defacement has been attributed to a twitter user @Sputn1k_, who's not exactly the Internet's best friend right now.
@Sputn1k_ You must feel proud defacing a site by volunteers. They dedicate time and effort to make a free distro. Worst kind of "hacker"— Alex (@aldude999) July 21, 2013
The site is still down at the time of writing, which could indicate the attack was severe or that Canonical, the company backing Ubuntu, hasn't been able to get a lot of engineers back on duty over the weekend.
Other Ubuntu services, namely Ubuntu One and Launchpad, aren't impacted by the breach. ®