The Ubuntu Forum website has been taken down after attackers defaced the homepage and accessed the database containing details of around 1,820,000 users.
“Unfortunately, the attackers have gotten every user’s local username, password and email address from the Ubuntu Forums database,” reads a holding message on the downed site.
The passwords were not stored in plain text, but stored as salted hashes, which will afford an additional level of protection, although this form of encryption is still vulnerable to cracking.
There is also no sign that the compromised details have been published online.
However, members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services.
“We believe the issue is limited to the Ubuntu Forums and no other Ubuntu or Canonical site or service is affected,” read a blog post by Canonical, the company that markets Ubuntu, a computing platform based on the Linux operating system.
Members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services
The company said it is investigating how the attackers were able to gain access and are working with the software providers to address that issue. Canonical said it will provide as much detail as possible once the investigation has been concluded.
The company said the Ubuntu Forum site will remain down until it is safe for it to be restored.
Inadequate password protection
The Ubuntu Forum passwords were cryptographically scrambled using the MD5 hashing algorithm, along with a per-user cryptographic salt, according to Ars Technica.
Security experts consider MD5, with or without salt, to be an inadequate means of protecting stored passwords, the publication noted.
While per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little to nothing to delay the cracking of small numbers of hashes.
That means the scheme used by Canonical does not prevent the decoding of individual hashes that may be targeted.
Security expert Paul Ducklin of security firm Sophos recommended that any organisation storing passwords in a database should use a strong salt-and-hash system such as bcrypt, scrypt or PBKDF2.
These systems make it much harder and slower for attackers to go through their password dictionary, he wrote in a blog post.
Register now to receive ComputerWeekly.com IT-related news, , delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com