uTorrent users, if you haven’t changed your password in the past week, do it now.
uTorrent, by far the most popular peer-to-peer file sharing client managed by BitTorrent, posted a brief but urgent security advisory on its forums on Tuesday.
According to the advisory, BitTorrent found out the day before that the unnamed vendor that powers its forums had been breached via one of its other clients. The attackers managed to download a database of information about forum users.
That’s a chunk of data: According to TorrentFreak, uTorrent has “well over 150 million active users a month.”
uTorrent also has dedicated community forums with tens of thousands of visitors per day and over 388,000 registered members.
As of Monday, 13 June, BitTorrent wasn’t talking about the breach on social media.
— Leaked Source (@LeakedSource) January 29, 2016
Leaked Source said in January that 94% of the data had already been decrypted.
But as of last Tuesday, BitTorrent said in its advisory that it was still investigating what other information might have been stolen besides the user list.
To stay on the safe side, it was assuming that more sensitive data, including passwords, could have been breached. And, according to Leaked Source, they were indeed breached.
BitTorrent advised users to assume that their logins had been compromised and to change passwords immediately.
That goes double – or triple, or quadruple, or fill in the blank – for anybody who’s used the same password on other sites.
From the advisory:
While the passwords may not be used as a vector on the forums, those hashed passwords should be considered compromised. Anyone using the same password for forums as well as other places is strongly advised to update their passwords and/or practice good personal security practices.
The advice to avoid password reuse is, in truth, pretty generic, but that’s because it’s very good advice.
As we’ve explained, even a long, strong, complicated password that looks devilishly hard to crack can become, effectively, a skeleton key to your whole online life if you’ve reused it.
BitTorrent’s vendor has made backend changes to ensure that the hashes in the stolen user file can’t be used as an attack vector.
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)