A breach at the Ubuntu Forums on Saturday means every user name, password and email address used by members of the free Linux distributor potentially suffered compromise.
More than 1.82 million accounts stored in the forums’ database ended up stolen, according to a notice posted on the forums’ home page Saturday night.
In addition, the site ended up defaced with a logo of a penguin wielding an assault rifle before officials took it down. Ubuntu is one of the most popular endpoint Linux operating systems.
The forums remained offline Monday morning. Email requests for an update and further details to Canonical, the UK-based software company that backs the distribution, went unanswered.
“We have confirmed the attackers were able to access all user email addresses and hashed passwords on the Forums site. While the passwords were not stored in plain text, good practice dictates that users should assume the passwords have been accessed and change them,” said Canonical Chief Executive Jane Silber on the company’s blog. “If users used the same password on other services they should immediately change that password.”
Silber said the issue is just on the Ubuntu Forums, and that no other Ubuntu or Canonical site, such as Ubuntu One, Launchpad or other services, ended up hacked. In addition, users who suffered compromise should expect an email from Canonical with further details.
“We are continuing to investigate exactly how the attackers were able to gain access and are working with the software providers to address that issue,” Silber said. “Once the investigation is concluded, we will provide as much detail as we safely can.”
The good news was Ubuntu hashed and salted the passwords. The bad news is Ubuntu uses MD5 to hash passwords as per vBulletin, which is the software the forums use. MD5 has not been the model of success for a number of years; in 2008 CERT posted an alert saying the algorithm was vulnerable to collision attacks.
“Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity,” said CERT five years ago. “As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.”
Salting, which is the addition of random characters to a password before ends up hashed, adds to the complexity of cracking a password hash and reduces the effectiveness of dictionary attacks.