MacRumors attackers: 860k password hack was 'friendly'

Hacker promises no accounts will be compromised, but notes weaknesses in password protection.

Password and username box

Hackers who breached Apple fan site MacRumors and made off with 860,000 passwords have said they were not being malicious but "friendly".

In a post on a MacRumors forum, a post from user Lol' explained the passwords would be easy to crack, but they would not do so.

"We're not logging in to your Gmails, Apple accounts, or even your Yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place," Lol said.

"The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."

Lol noted 860,106 passwords were compromised, 488,429 of which were protected with older, smaller salting protections, making them slightly easier to crack with the right tools.

Salts see pseudo-random strings added to the plain text of passwords, before they are passed through a one-way hashing algorithm to turn the login credential into garbled information. If unique to each password, they force crackers to address each password individually rather than do a tranche in one go.

Despite the added protections around certain logins, it appeared Lol would have little trouble breaking them. "We're not mass cracking' the hashes. It doesn't take long whatsoever to run a hash through Hashcat with a few dictionaries and salts, and get results," Lol said.

Cracking tools run password guesses through the relevant hashing algorithm to see what the output is. If the guess matches with the password, the hashed result will look the same and the hacker has the login detail they are after. That's why creating a unique password remains so important for user security.

Editorial director Arnold Kim noted MacRumors had used the standard MD5 hash and salt, and admitted they were "not that strong, so assume that your password can be determined with time".

Lol said the initial breach was not down to a weakness in vBulletin, the forum software powering MacRumors, but the "fault lied within a single moderator".

Featured Resources

Seven steps to connect and empower your frontline workers

How business leaders can improve communication with a secure platform

Free download

Create what’s next

The future of collaboration and productivity

Free Download

Leveraging the cloud without relinquishing control

Your data. Their cloud.

Free download

Re-architecting for nonstop innovation

Unlocking productivity, scalability, and lower costs for cloud natives

Free Download

Recommended

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Alibaba ECS instances targeted in new cryptojacking campaign
cryptocurrencies

Alibaba ECS instances targeted in new cryptojacking campaign

16 Nov 2021

Most Popular

Looking beyond the obvious: What’s best for multi-cloud?
Sponsored

Looking beyond the obvious: What’s best for multi-cloud?

8 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021
How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021