Ubuntuforums.org cracker promises no password release
'Don't worry about a DB leak. That isn't how I like to do things' says 'Sputn1K'
“Sputn1k_”, the entity held responsible for stealing 1.8m passwords from ubuntuforums.org, appears to have reassured the world s/he doesn't plan to do anything bad with the credentials.
Someone or something using the Sputn1k_ name used Twitlonger to post the following missive:
“You can stop worrying about your passwords. Yes, they were encrypted. Encrypted with the default vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be the strongest, when you're dealing with 1.8m users it would take a very long time to get anywhere with the hashes. You don't have to worry about a DB leak. That isn't how I like to do things.
If I do get into a website, most of the time there's no REAL malicious intentions. Grab the database, leave a message. That's it. I don't like to over-do things. Might cause some downtime, but what if it WAS the "syr14n c3b3r 4rmy" (not that their brain-dead brains have the power to do anything whatsoever), and they did have malicious intentions, and they did leak the database and use it to their own advantage?”
Ubuntuforums.org remains down at the time of writing, but operators have updated its status with news that “we believe the root cause of the breach has been identified” and “We are currently reinstalling the forums software from scratch. No data (posts, private messages etc.) will be lost as part of this process.”
Another update, dated July 22nd, advises “work on reinstalling the forums continues.” There's no word on when service is expected to resume. ®