MacRumors Forums: Security Leak

macrumorslogoYesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.

In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. While the passwords are "hashed" (which is a one-way conversion from your actual password to a scrambled version), given computing power these days, if your password isn't very complex, they could brute force figure it out by trying lots of combinations.

What this means for you, if you have a MacRumors Forums account, is the following:

1. Change your password on our forums. If you have any problems, please contact us.

2. If you used the same password on any other site, change it there also.

There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass or 1Password.

Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.

We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.


Why did I not get an email sooner?

According to our email service, sending such a large burst of email in one day to all of our users will result in many of those emails getting automatically blocked. As such, we are sending emails out over time to ensure they reach your inbox.

Top Rated Comments

(View all)
Avatar
83 months ago
You could have ****ing told us as soon as it happened, the forum had been in maintenance mode for ages, why not tell us as soon as you put it like that?
Score: 187 Votes (Like | Disagree)
Avatar
83 months ago
Why were you storing our passwords in the first place?

You are supposed to store an irreversible hash of them instead.
Score: 123 Votes (Like | Disagree)
Avatar
83 months ago
When creating your new passwords, please keep this XKCD comic in mind and maybe we'll all have secure, easy to remember passwords:
Score: 48 Votes (Like | Disagree)
Avatar
83 months ago
Probably a very clever ad for iCloud Keychain
Score: 46 Votes (Like | Disagree)
Avatar
83 months ago

Password security level please?


Were passwords hashed, salted, plain text...?


They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn
Score: 46 Votes (Like | Disagree)
Avatar
83 months ago
Ok so some people are being overly aggressive here:

1) the article clearly states "... and (hashed) password is now known." HASHED. The second highest uprated comment as of now is complaining that the passwords have *edit: not* been hashed. They have been. Learn to read. They certainly aren't stored in plaintext.

2) Others are complaining about MacRumors leaving far too long before telling us; they have only left a day. In terms of what a hacker can do with any data in one day, given the passwords are hashed, this is somewhat limited.

3) Its not as if MacRumors asked to be hacked, or didn't take any measures to prevent hacking - now clearly those measures have been proven to be ineffective but of all the forums in the world I would imagine MacRumors is pretty up to date on the security software used to protect it. Certain I worry much more about the forums I am members of using old front-ends to host their forum where the interfaces have been updated for known security flaws - in those cases hacking is really much more trivial since the flaw is public knowledge.

4) If you are stupid enough to use the same password for everything then shame on you for blaming MacRumors, and if you aren't that stupid then you have nothing to worry about hackers gaining access to your MacRumors password. Just change it and they now have a redundant password and very limited information on you. Sure, I use my MacRumors password for a few sites but only sites with few personal details where the risk of data loss in a hack is minimal and I want the convenience of a single password. Only an idiot uses one password for everything between their computer root and the least secured of connections.

tl;dr grow up and stop all blaming MacRumors for a load of things they didn't do. If you hate it that much, move to a different forum.
Score: 40 Votes (Like | Disagree)

Top Stories

Apple's 2020 MacBook Air vs. 2020 iPad Pro

Wednesday April 1, 2020 2:45 pm PDT by Juli Clover
Apple in March updated both the MacBook Air and the iPad Pro, and with the iPad Pro increasingly positioned as a computer replacement, we thought we'd compare both new machines to see how they measure up and which one might be a better buy depending on user needs. Subscribe to the MacRumors YouTube channel for more videos. We're comparing the base model 12.9-inch iPad Pro and the base model...

New Low-Cost 'iPhone SE' Could Launch as Soon as Tomorrow

Thursday April 2, 2020 4:06 pm PDT by Juli Clover
Apple's new low-cost iPhone is set to launch as early as Friday, April 3, according to a new report from 9to5Mac that cites a tip from a "highly trusted reader." The site says that while it can't be certain about the launch date, "Apple could reveal and begin taking orders for the new iPhone as soon as tomorrow." The iPhone 8 Apple is said to be planning to call the new iPhone, which is...

Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims Amid Other Security Issues [Updated]

Wednesday April 1, 2020 2:47 am PDT by Tim Hardwick
Zoom is facing fresh scrutiny today following a report that the videoconferencing app's encryption claims are misleading. Zoom states on its website and in its security white paper that the app supports end-to-end encryption, a term that refers to a way of protecting user content so that the company has no access to it whatsoever. However, an investigation by The Intercept reveals that...

AirTags Referenced in New Apple Support Video

Thursday April 2, 2020 12:12 pm PDT by Joe Rossignol
Apple has accidentally referenced its widely rumored AirTags item tracking tags in a video that it uploaded to its Apple Support channel on YouTube today. The video was first spotted by the blog Appleosophy and has quickly been removed. The video was titled "How to erase your iPhone." AirTags were mentioned in Settings > Apple ID > Find My > Find My iPhone under Enable Offline Finding, with...

Intel Unveils 10th-Gen Processors Suitable for Next 16-Inch MacBook Pro With Wi-Fi 6 and Turbo Boost Speeds Above 5GHz

Thursday April 2, 2020 7:53 am PDT by Joe Rossignol
Intel today announced the launch of its latest 10th-generation Core processors for high-end notebooks, potentially including the next 16-inch MacBook Pro. The batch of 45W chips, part of the Comet Lake family, are built on Intel's 14nm++ architecture. The new H-series chips have the same base clock speeds as the 9th-generation chips in the current 16-inch MacBook Pro, but Turbo Boost speeds...

Apple Acquires Weather App Dark Sky

Tuesday March 31, 2020 10:22 am PDT by Juli Clover
Apple has acquired weather app Dark Sky, Dark Sky's developers announced today. Dark Sky is one of the most popular weather apps on the App Store, known for its accuracy and storm warnings. Our goal has always been to provide the world with the best weather information possible, to help as many people as we can stay dry and safe, and to do so in a way that respects your privacy. There is no ...

Apple Adding Some 2013 and 2014 MacBook Air and MacBook Pro Models to Vintage Products List at End of April

Wednesday April 1, 2020 2:24 pm PDT by Joe Rossignol
In an internal memo obtained by MacRumors, Apple has indicated that the following 2013 and 2014 models of the MacBook Air and MacBook Pro will be added to its vintage and obsolete products list on April 30:MacBook Air (11-inch, Mid 2013) MacBook Air (13-inch, Mid 2013) MacBook Air (11-inch, Early 2014) MacBook Air (13-inch, Early 2014) MacBook Pro (13-inch, Mid 2014)Apple defines vintage...

Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari

Friday April 3, 2020 3:58 am PDT by Tim Hardwick
Apple paid out $75,000 to a hacker for identifying multiple zero-day vulnerabilities in its software, some of which could be used to hijack the camera on a MacBook or an iPhone, according to Forbes. A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting...

iPhone 8 Screen Protector Updated With 'iPhone SE' Compatibility on Apple's Online Store

Thursday April 2, 2020 8:10 pm PDT by Joe Rossignol
Another clue has surfaced to suggest that Apple's rumored lower-cost iPhone SE successor will likely be released soon. Earlier today, a product listing for a Belkin screen protector on Apple's online store was updated to reflect compatibility with not only the iPhone 7 and iPhone 8, but also the iPhone SE. Given the original iPhone SE was a 4-inch device, and the iPhone 7 and iPhone 8 are...

2020 iPad Pro May Not Have a U1 Ultra Wideband Chip After All

Wednesday April 1, 2020 8:49 pm PDT by Joe Rossignol
While it was previously reported that all 2020 iPad Pro models feature the same Apple-designed U1 chip as the iPhone 11 lineup, enabling Ultra Wideband support, we have compiled evidence to suggest that this may not be the case. As a reminder, Apple's tech specs for the iPhone 11 and iPhone 11 Pro list an Ultra Wideband chip for spatial awareness, but the chip is not mentioned in Apple's...