Ubuntu Forums Hacked, Attackers Get Away With Names, Emails And Salted Passwords

Yesterday, Ubuntu custodian Canonical made users aware that its official forums had been breached via SQL injection. While usernames, email addresses and salted passwords were nabbed in the attack, Canonical is confident hackers did not get access to any core Ubuntu services.

Ubuntu was quick to inform users of the breach — which occurred on July 14 — with the news posted a day after the event.

Although the company has taken restorative and preventative measures, including rebuilding its forum servers “from the ground up” and resetting “all system and database passwords”, there’s no escaping the fact the breach leaked important user data:

The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table.
 
They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted).

Even with passwords given the cryptographic one-two, it’s still advisable that you change your login as soon as possible. As for the stolen emails, well, time to keep an eye on your inbox.

Notice of security breach on Ubuntu Forums [Ubuntu, via gHacks]


The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.

Comments


2 responses to “Ubuntu Forums Hacked, Attackers Get Away With Names, Emails And Salted Passwords”