phpBB 2 usernames/passwords hacked and posted

[Tom Finley]

I have no idea where I should post this, so I'll let you see it and maybe a mod can move it.

This pertains to anyone using phpBB version 2, the one available here at VodaHost. From the phpBB site (see especially the red part):

......................

As you may already be aware from the message on phpBB.com or the topic in the #phpBB channel on Freenode, we have recently been attacked via a vulnerability in an outdated PHPList installation. It is important to stress that no vulnerabilities have been found in the phpBB software itself.

We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done.

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

phpBB3 uses a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password. phpBB2, however, used a much simpler and less secure md5 algorithm to store passwords. This is one of the many reasons why we have decided to no longer support the phpBB2 software. Because hashes cannot be reversed, phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login. Those users who registered while phpBB.com used phpBB2 and did not login on the new phpBB3 board continue to have their password hashes stored in the old format. Passwords stored in the old format are much less secure than those stored in the new format. The attackers have been focusing purely on the passwords stored in the old format.

If the password to your phpBB.com account is used anywhere else (especially with the same username), we strongly recommend that you change it. Using the same password across multiple sites is not security wise and should not be done under any circumstance. Additionally, you should change your password on phpBB.com, when it becomes available.

We apologise that we allowed this to happen by not patching vulnerable software in time. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine. At this time, the team is working around the clock to restore phpBB.com and other resources.

Thank you,

- The phpBB Teams

[Karen Mac]

Thats why its worth EVERY Single penny to buy VBulletin. If you have a forum of any size.. worth keeping.. its worth having.

Karen

[Watdaflip]

Just wanted to point out that there is no reason to be alarmed or feel insecure about your own forum because of this attack on phpbb's community forum. The attack was not because of any holes/bugs in the forum itself, it was a 3rd party addon phpbb was using on their own site that allowed the hacker to get in.

Also, technically vB isn't any more secure considering the fact that it was an addon for phpBB that caused the security flaw. All it would take is installing a poorly coded vBulletin addon and you're just as vulnerable.

Now vB has used a salt for quite some time now, but even that doesn't prevent your password from being stolen. It just means there is an additional step needed.

With the password from phpbb 2.x it was only passed through the md5 function to hash the password. If someone gets ahold of that hash they can run it through a process to compare it to a table of hashes that contain all possible combination of strings.. up to a certain amount of characters (called a rainbow table). Now if you have a password that is 5 characters long, there is 1,934,917,632 possible combinations (assuming a normal password type). Now not all of those have to searched to find the password, but it still takes quite a bit of time to do. If you have a 7 character password the number of combinations jumps to 10,030,613,004,288. This number grows exponentially with each additional character in your password.

The benefit of having a salt is that if the salt is known (phpbb's website had their entire user table stolen, so the salt would have been included). if the hacker has to generate a rainbow table specific to that salt. This also takes longer to search then a generic rainbow table of hashes without salts.

[LadyEye]

moved to start your own community forum ..

Just wanted to point out that there is no reason to be alarmed or feel insecure about your own forum because of this attack on phpbb's community forum.

Now vB has used a salt for quite some time now.
The benefit of having a salt is that if the salt is known.

Now, I never use salt without pepper, so pass the peppa please ..

[davidundalicia]

Just wanted to point out that there is no reason to be alarmed or feel insecure about your own forum because of this attack on phpbb's community forum. The attack was not because of any holes/bugs in the forum itself, it was a 3rd party addon phpbb was using on their own site that allowed the hacker to get in.

Also, technically vB isn't any more secure considering the fact that it was an addon for phpBB that caused the security flaw. All it would take is installing a poorly coded vBulletin addon and you're just as vulnerable.

Now vB has used a salt for quite some time now, but even that doesn't prevent your password from being stolen. It just means there is an additional step needed.

With the password from phpbb 2.x it was only passed through the md5 function to hash the password. If someone gets ahold of that hash they can run it through a process to compare it to a table of hashes that contain all possible combination of strings.. up to a certain amount of characters (called a rainbow table). Now if you have a password that is 5 characters long, there is 1,934,917,632 possible combinations (assuming a normal password type). Now not all of those have to searched to find the password, but it still takes quite a bit of time to do. If you have a 7 character password the number of combinations jumps to 10,030,613,004,288. This number grows exponentially with each additional character in your password.

The benefit of having a salt is that if the salt is known (phpbb's website had their entire user table stolen, so the salt would have been included). if the hacker has to generate a rainbow table specific to that salt. This also takes longer to search then a generic rainbow table of hashes without salts.

not according to the above................