MacRumors attackers: 860k password hack was 'friendly'

Hacker promises no accounts will be compromised, but notes weaknesses in password protection.

Password and username box

Hackers who breached Apple fan site MacRumors and made off with 860,000 passwords have said they were not being malicious but "friendly".

In a post on a MacRumors forum, a post from user Lol' explained the passwords would be easy to crack, but they would not do so.

We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place.

"We're not logging in to your Gmails, Apple accounts, or even your Yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place," Lol said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."

Lol noted 860,106 passwords were compromised, 488,429 of which were protected with older, smaller salting protections, making them slightly easier to crack with the right tools.

Salts see pseudo-random strings added to the plain text of passwords, before they are passed through a one-way hashing algorithm to turn the login credential into garbled information. If unique to each password, they force crackers to address each password individually rather than do a tranche in one go.

Despite the added protections around certain logins, it appeared Lol would have little trouble breaking them. "We're not mass cracking' the hashes. It doesn't take long whatsoever to run a hash through Hashcat with a few dictionaries and salts, and get results," Lol said.

Cracking tools run password guesses through the relevant hashing algorithm to see what the output is. If the guess matches with the password, the hashed result will look the same and the hacker has the login detail they are after. That's why creating a unique password remains so important for user security.

Editorial director Arnold Kim noted MacRumors had used the standard MD5 hash and salt, and admitted they were "not that strong, so assume that your password can be determined with time".

Advertisement - Article continues below

Lol said the initial breach was not down to a weakness in vBulletin, the forum software powering MacRumors, but the "fault lied within a single moderator".

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020