The forum for the techie-darling comic strip XKCD was still offline on Monday afternoon after Troy Hunt’s breach site, Have I Been Pwned, reported on Sunday that 562,000 of the forum’s accounts had been breached sometime in August.
New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned https://t.co/LGaAnj1hUA— Have I Been Pwned (@haveibeenpwned) September 1, 2019
A breach notice on the echochamber.me/xkcd forums echoed Hunt’s message: portions of the forums’ phpBB user table showed up in a cache of leaked data, it said.
XKCD forums said that the breached passwords that showed up in Have I Been Pwned were salted and hashed, making them harder to crack than if they were simply hashed. A salt is a random string of bytes, different for every password, that is mixed in with the password when it is scrambled for storage in the password database.
Hashing a password means that the original password doesn’t need to be stored where a crook who stole it could simply re-use it directly. Salting ensures that even if two users choose the same password, each user ends up with a different hash, so crooks can’t simply make a giant ‘dictionary’ of hashes that would let them look up the most common passwords in one go:
We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration.
Flaw in phpBB/no flaw in phpBB??
An earlier version of the breach notification that was up on Sunday suggested that the leak may have been enabled by an attacker scanning for a vulnerability in phpBB:
It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software.
…but given that the breach notification was amended at some point to ditch the possibility of this flaw in phpBB, such a flaw has presumably been ruled out.
According to Hunt, 58% of the addresses were already in his trove of breached accounts.
Has the Correct Horse Battery been Stapled?
It’s impossible not to note the irony of XKCD being targeted and that there’s even a hint of a possibility that the security of its password storage might come into play.
As it is, the comic’s musings/teachings on password entropy are a constant touchstone in conversations about how to pick a proper password: the correct horse battery staple strip about password strength is a classic.
But regardless of how the passwords got breached, we can turn to another XKCD strip – this one about password reuse – for the “What to do?” answer. We can also get it from the XKCD forums’ notification.
Namely, if you’re an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password.
Using the same passwords on multiple sites leaves you a sitting duck.
Here’s how to pick a proper one, and by that we mean one that’s both strong and unique for each site:
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
And if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more: