MacRumors Forums: Security Leak

macrumorslogoYesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.

In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. While the passwords are "hashed" (which is a one-way conversion from your actual password to a scrambled version), given computing power these days, if your password isn't very complex, they could brute force figure it out by trying lots of combinations.

What this means for you, if you have a MacRumors Forums account, is the following:

1. Change your password on our forums. If you have any problems, please contact us.

2. If you used the same password on any other site, change it there also.

There are several guides online for how to choose a good password. Also, you should generally keep separate passwords for every service, for situations just like this. To help manage distinct passwords for every website, you can use a password manager such as Lastpass or 1Password.

Canonical provided a post-mortem of the Ubuntu forums attack on their blog. Our case is quite similar, with a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials.

We are still working to get the forums fully functional and more secure. Again, we are very sorry for the breach.


Why did I not get an email sooner?

According to our email service, sending such a large burst of email in one day to all of our users will result in many of those emails getting automatically blocked. As such, we are sending emails out over time to ensure they reach your inbox.

Top Rated Comments

(View all)
Avatar
90 months ago
You could have ****ing told us as soon as it happened, the forum had been in maintenance mode for ages, why not tell us as soon as you put it like that?
Score: 187 Votes (Like | Disagree)
Avatar
90 months ago
Why were you storing our passwords in the first place?

You are supposed to store an irreversible hash of them instead.
Score: 123 Votes (Like | Disagree)
Avatar
90 months ago
When creating your new passwords, please keep this XKCD comic in mind and maybe we'll all have secure, easy to remember passwords:
Score: 48 Votes (Like | Disagree)
Avatar
90 months ago
Probably a very clever ad for iCloud Keychain
Score: 46 Votes (Like | Disagree)
Avatar
90 months ago

Password security level please?


Were passwords hashed, salted, plain text...?


They are vBulletin's standard md5 hashed and salted. Which is not that strong, so assume that your password can be determined with time.

arn
Score: 46 Votes (Like | Disagree)
Avatar
90 months ago
Ok so some people are being overly aggressive here:

1) the article clearly states "... and (hashed) password is now known." HASHED. The second highest uprated comment as of now is complaining that the passwords have *edit: not* been hashed. They have been. Learn to read. They certainly aren't stored in plaintext.

2) Others are complaining about MacRumors leaving far too long before telling us; they have only left a day. In terms of what a hacker can do with any data in one day, given the passwords are hashed, this is somewhat limited.

3) Its not as if MacRumors asked to be hacked, or didn't take any measures to prevent hacking - now clearly those measures have been proven to be ineffective but of all the forums in the world I would imagine MacRumors is pretty up to date on the security software used to protect it. Certain I worry much more about the forums I am members of using old front-ends to host their forum where the interfaces have been updated for known security flaws - in those cases hacking is really much more trivial since the flaw is public knowledge.

4) If you are stupid enough to use the same password for everything then shame on you for blaming MacRumors, and if you aren't that stupid then you have nothing to worry about hackers gaining access to your MacRumors password. Just change it and they now have a redundant password and very limited information on you. Sure, I use my MacRumors password for a few sites but only sites with few personal details where the risk of data loss in a hack is minimal and I want the convenience of a single password. Only an idiot uses one password for everything between their computer root and the least secured of connections.

tl;dr grow up and stop all blaming MacRumors for a load of things they didn't do. If you hate it that much, move to a different forum.
Score: 40 Votes (Like | Disagree)

Top Stories

Leaker: 'iPhone 12 mini' and iPhone 12 Storage Capacities Start at 64GB, Pro Models at 128GB

Tuesday September 29, 2020 2:31 am PDT by
Rumors suggest Apple's iPhone 12 launch event will be held on October 13, with the more affordable 5.4 and 6.1-inch devices set to ship out ahead of the more expensive 6.1-inch and 6.7-inch Pro devices, and this morning hit-and-miss leaker Jon Prosser has further committed to that date by providing alleged details on Apple's first shipment of finalized iPhone 12 units. Prosser claims the...

Hands-On With iOS 14.2's New Shazam Music Recognition Toggle in Control Center

Monday September 28, 2020 2:35 pm PDT by
Shortly after launching iOS 14, Apple introduced an upcoming iOS 14.2 update, which is now available to developers and public beta testers ahead of a public release that could come at some point in October. Subscribe to the MacRumors YouTube channel for more videos. The iOS 14.2 update mainly focuses on the Control Center, introducing a new Music Recognition toggle that deepens the Shazam...

Top Stories: iOS 14 Feature Tour, 'iPhone 12 mini' Rumors, Apple Watch Band Controversy

Saturday September 26, 2020 6:00 am PDT by
Things started to calm down a bit this week following last week's rush of media event, Apple Watch and iPad launches, and the release of iOS 14 and other operating updates. But that doesn't mean there wasn't still a lot of news, from digging deeper into iOS 14 to more iPhone 12 rumors to the uproar over trying to exchange band sizes on the new Apple Watch. On top of all of that, we heard...

DigiTimes: 12.9-inch Mini-LED iPad Pro Arriving Early 2021, Mini-LED MacBook Coming Later

Tuesday September 29, 2020 4:18 am PDT by
Apple will launch a 12.9-inch mini LED-backlit iPad Pro in early 2021 and a mini LED-backlit MacBook in the second-half of next year, according to DigiTimes. The Taiwan-based industry publication claims Epistar will supply the over-10,000 mini LEDs used in each iPad Pro tablet. Meanwhile, Apple is expected to recruit Osram Opto as another supplier of mini LEDs for use in a new "high-end"...

iPhone 12 May Launch Earlier Than Usual in South Korea

Monday September 28, 2020 5:24 am PDT by
The upcoming iPhone 12 lineup may launch earlier than usual in South Korea, reports The Korea Herald. South Korean telecoms firms speaking to The Korea Herald have said that the iPhone 12 lineup will launch ahead of its usual schedule. Normally, the release of new iPhones in South Korea comes about one month after launch in the United States. Last year, the iPhone 11 arrived in South Korea ...

iOS 14: 'Phoenix 2' Space Shooter Delivers Playable Demo via App Clips

Saturday September 26, 2020 2:08 pm PDT by
One of the new features that arrived in iOS 14 is called App Clips. App Clips is described by Apple to be a "small part of your app" that can be available to users at just the right moment.App Clips focus on finishing one task quickly. An ideal App Clip experience allows users to open and complete a task in seconds. Instead of requiring an App Store download, they can be loaded and run via...

Epic Games Unlikely to Win Injunction in Ongoing Fortnite Battle With Apple, Jury Trial Possible

Monday September 28, 2020 1:14 pm PDT by
The ongoing legal dispute between Apple and Epic Games continued on today, with a preliminary injunction hearing taking place this morning. We're still waiting to hear the judge's official ruling, but it looks like Epic is not going to be granted an injunction to allow Fortnite back into the App Store as the case unfolds. Many of the arguments that lawyers for Apple and Epic Games made were...

iPhone 12 Production Lines at Foxconn's Zhengzhou Factory in China Running '24 Hours a Day'

Tuesday September 29, 2020 3:38 am PDT by
Apple contract manufacturer Foxconn is running its massive Zhengzhou factory in China 24 hours a day to produce the new iPhone 12, according to Chinese media reports. Apple's main iPhone manufacturer in China is said to be cancelling workers' holidays and introducing mandatory overtime with additional bonuses for longer-serving staff, according to information garnered from employees,...

'iPhone 12 mini' Name Reappears in Leaked Apple iPhone 12 Case Stickers

Friday September 25, 2020 1:58 am PDT by
Earlier this week a proven leaker claimed that the iPhone 12 lineup would be named "iPhone 12 mini," "iPhone 12," "iPhone 12 Pro," and "iPhone 12 Pro Max," and today the same nomenclature has appeared again in a photo depicting alleged stickers from unreleased Silicone iPhone cases originating from Apple's international distribution center in Ireland. The photo shows three stickers with the...

Apple Releases iOS 14.0.1 With Fix for Bug That Resets Default Apps After Rebooting

Thursday September 24, 2020 10:12 am PDT by
Apple today released iOS 14.0.1, the first update to the iOS 14 operating system that was released on September 16. Today's update is a bug fix update addressing issues that weren't able to be fixed in the initial iOS 14 launch. The iOS 14.0.1 update is available on all eligible devices over-the-air in the Settings app. To access the new software, go to Settings > General > Software Update. ...