Thursday, February 5, 2009
phpBB.com hacked, 400,000+ account details intercepted
The online bulletin board phpBB (php Bulletin Board) was taken offline on Sunday, following a security breach that allowed access to user account details. phpBB is an open-source software package used to run discussion forums on web sites. The breach was caused when the attacker gained access through an unpatched security bug in PHPlist, a third-party open source email application, used for managing newsletters. The attacker had access for more than two weeks before the breach was discovered.
According to a blogger, who claims to be responsible for the attack, details for more than 400,000 accounts were intercepted, including names, email addresses and hashed passwords. The writer also claims to have created a script that was able to break more than 28,000 passwords which were hashed using an unsalted MD5 algorithm. According to The Register, the blogger then posted the password details to the internet.
On the 29th of January, PHPlist was updated to fix the security bug that allowed the attack to take place. The exploit used was originally published on the 14th of January and, given the timing of the attack, it's likely that this how the attacker learned of the exploit.