MacRumors attackers: 860k password hack was 'friendly'

Hacker promises no accounts will be compromised, but notes weaknesses in password protection.

Password and username box

Hackers who breached Apple fan site MacRumors and made off with 860,000 passwords have said they were not being malicious but "friendly".

In a post on a MacRumors forum, a post from user Lol' explained the passwords would be easy to crack, but they would not do so.

We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place.

"We're not logging in to your Gmails, Apple accounts, or even your Yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place," Lol said.

"The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."

Lol noted 860,106 passwords were compromised, 488,429 of which were protected with older, smaller salting protections, making them slightly easier to crack with the right tools.

Salts see pseudo-random strings added to the plain text of passwords, before they are passed through a one-way hashing algorithm to turn the login credential into garbled information. If unique to each password, they force crackers to address each password individually rather than do a tranche in one go.

Despite the added protections around certain logins, it appeared Lol would have little trouble breaking them. "We're not mass cracking' the hashes. It doesn't take long whatsoever to run a hash through Hashcat with a few dictionaries and salts, and get results," Lol said.

Cracking tools run password guesses through the relevant hashing algorithm to see what the output is. If the guess matches with the password, the hashed result will look the same and the hacker has the login detail they are after. That's why creating a unique password remains so important for user security.

Editorial director Arnold Kim noted MacRumors had used the standard MD5 hash and salt, and admitted they were "not that strong, so assume that your password can be determined with time".

Lol said the initial breach was not down to a weakness in vBulletin, the forum software powering MacRumors, but the "fault lied within a single moderator".

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Colonial Pipeline reportedly paid $5 million ransom
Security

Colonial Pipeline reportedly paid $5 million ransom

13 May 2021
Apple's AirTag tracker has already been hacked
hacking

Apple's AirTag tracker has already been hacked

10 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021