Though i’m not Irish it has come to my attention that one of the largest bulletin boards in Ireland, boards.ie, has been hacked today. The attackers gained access to parts of the database ” [..] which includes our members usernames, email addresses and obfuscated passwords [..] ” as stated on the official landing page that replaced the usual forums today.
The team of boards.ie reset all user passwords and advises all their users to change the password on all other sites where they might have used it as well. In my opinion this is a good step but not absolutely necessary. And i tell you why: boards.ie uses an uptodate version of the bulletin board software vBulletin. That uses the MD5 algorithm to “obfuscate” the users’ password. As written earlier the MD5 algorithm is known to be unsecure and should not be used to encrypt user passwords – except it has been salted. Salting means that there is an additional “secret” (technically: an additional set of bits) used to hash the obfuscated string. This increases the so called entropy of the hashsum. And this, in return, makes it very hard to “crack” the hash using traditional methods like brute-forcing or using rainbow tables. That means it’s very hard for hackers of boards.ie to get access to other systems using the gained user data. So relax and don’t panic! 
Anyway the team of boards.ie has done good resetting all the user passwords as an additional security mechanism. If you want to know more about cracking MD5 hashsums I’ll suggest you to have a look on my more in-depth articles regarding this topic:
[UPDATE]
The boards.ie team states on Twitter (@boards_ie) that they will not send out new passwords but require users to set a new password when the site is back up:
We are not sending out new passwords. Once the site is back, you will be invited to change your password yourself.
I guess that’s fine as well.
[/UPDATE]
[UPDATE2]
@john_ruddy has made a good point. In his opinon it might be possible that the hackers will send E-Mails to the users of boards.ie containing false instructions to set a new password or enter other sensitive data. So please be aware of phishing attacks!
[/UPDATE2]
4 Comments
Thanks very much for this post. Just want to confirm that Boards.ie will NOT be sending out emails with passwords or links. If you receive an email from Boards.ie that asks you to do anything like click a link, log into a website or any other action, please forward it to hello@boards.ie.
DO NOT CLICK IT!
If there’s anything we can help you with, please contact us at hello@boards.ie
Thanks very much
Darragh
If the attackers were after the passwords (rather than other useful things in the user database) you have to assume that they also managed to snag a copy of the salt in use.
However, the only likely attack on the password database is brute force, so it might be reasonable to consider only weak passwords to be at risk – if you used digits only, a dictionary word, a name, or some minor perturbation thereof, you’d be first in the firing line.
@James Beckett
or if they created some accounts prior to hack they may have a known password with proper hash so finding a salt can be done if it is same for all (or some) passwords in database
@m4rkiz vBulletin salts are generated randomly per user at registration time, so that won’t help them in a bulk attack.
One Trackback
[...] This post was mentioned on Twitter by thumped.com, Stotti. Stotti said: Article on the security implications of the @boards_ie hack: http://bit.ly/7jcqZ4 Please RT! @basquille @davidcochrane @thumped and others [...]