MacRumors Forums: Security Leak
Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.
In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. While the passwords are "hashed" (which is a one-way conversion from your actual password to a scrambled version), given computing power these days, if your password isn't very complex, they could brute force figure it out by trying lots of combinations.
What this means for you, if you have a MacRumors Forums account, is the following:
1. Change your password on our forums. If you have any problems, please contact us.
2. If you used the same password on any other site, change it there also.
There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass or 1Password.
Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.
We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.
Why did I not get an email sooner?
According to our email service, sending such a large burst of email in one day to all of our users will result in many of those emails getting automatically blocked. As such, we are sending emails out over time to ensure they reach your inbox.