Canonical, makers of the Ubuntu Linux distribution, recently announced that its Ubuntu help forums suffered a security breach over the weekend. Attackers were able to harvest an estimated 1.82 million user names, email addresses, and passwords from the site. Canonical says it isn’t sure how hackers were able to breach its systems and the company has taken the forums at Ubuntuforums.org offline as a precaution.
Canonical is warning anyone with an Ubuntu Forums account about the hack via email. The company is also advising users to change their security credentials on other sites, especially email, if they used the same password and username/email for other online services.
Ubuntu.com services such as Ubuntu One are not believed to be affected by the hack since they do not share the same login account as the Ubuntu forums.
Fans of the Ubuntu forums began reporting that the site had been defaced on Saturday. The hacker or group of hackers who breached the site posted an image of a penguin (the Linux mascot is a penguin) holding an AK-47.
The message underneath the image suggested the hackers were more interested in exposing a poorly secured site than anything else. “None of this ‘[you got hacked] by albani4 c3bir 4rmy’ stuff,” the message on Ubuntu’s forums site said. “Straight up, you dun goofed. It's as simple as that.”
It’s not clear if the hackers plan on exposing the database of user names and passwords online. Nevertheless, there is a definite possibility these account credentials could begin circulating around the less reputable areas of the Internet.
Canonical says forum user passwords were not stored in plain text and were hashed and salted. A hash uses a mathematical algorithm to convert plain text passwords into a series of numbers and letters. A specific hash will create the same string of letters and numbers each time for the same input (in this case a password). To make hashes more secure they are further obscured by “salting,” a process that inserts random bits into the hash making it harder to guess the original password.
Canonical had not returned our request for comment at this writing, so it’s not clear which hashing algorithm the company was using. However, a report from Ars Technica says Canonical was using the md5 hash. MD5 is a popular hashing algorithm that is often used by software companies as a security check to let users ensure downloaded executable files were not tampered with or corrupted. But md5 is not considered to be a secure choice for hashing passwords.
Batten down the hatches
Reports of password breaches are always a good time to reevaluate your own online security practices. Always make sure you are using unique passwords for every site you visit online. For tips on generating your own passwords check out PCWorld’s “Learn to use strong passwords” or “Passwords: You're doing it wrong. Here's how to make them uncrackable.”
Use a password manager such as LastPass or Password Safe to store all your various passwords for different online sites. These programs can also create new passwords for you and can automatically fill out login forms for you.
Finally, activate two-factor authentication for any services that support this security measure such as Battle.net, Dropbox, Evernote, Facebook, Gmail, Twitter, and Outlook.com. Two-factor authentication requires you to enter a second, shorter temporary password that is usually generated by a smartphone application or small key fob.
Many services that offer two-factor authentication allow you to set trusted PCs so that you only have to enter your credentials once on new PCs or browsers.