Canonical, the company behind Ubuntu, announced on the wildly popular Ubuntu Forums Saturday night that “Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.”
That’s right at 1.8 million users whose information has been compromised, by a hacker or group called @sputn1k_ (whose Twitter account now returns an internal error message).
The site was defaced with the image of a machine-gun-toting Linux penguin. Now, it says that it’s down for maintenance and that “There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated regularly with progress reports.”
In addition to the inconvenience of users losing their passwords and email addresses to the hackers, there’s the very real danger that those same passwords are being used elsewhere.
The passwords are encrypted but, according to an updated statement from Canonical’s CEO Jane Silber, “good practice dictates that users should assume the passwords have been accessed and change them. If users used the same password on other services they should immediately change that password.”
There is no real gain to hacking a volunteer-fueled bulletin board beside the lulz—and even that can’t go far. As one user tweeted: “You must feel proud defacing a site by volunteers. They dedicate time and effort to make a free distro. Worst kind of ‘hacker.’”
But gaining access to those users’ ecommerce and banking information is something else altogether.
As Ars Technica’s Dan Goodin notes, the MD5 hashing algorithm encryption scheme “used by Canonical doesn’t prevent the decoding of individual hashes that may be targeted because of the attractiveness of the specific user it belongs to—a high-ranking executive, for instance, or people whose e-mail addresses belong to Fortune-500 domains.”