The concept of hacking is still quite alive and well, often with less than pleasant results for regular Internet users. Just ask one of the nearly two million users of the Ubuntu (News - Alert) Forum who is rushing to change passwords on currently held forum accounts following a hack that revealed not only the password data for the Ubuntu Forum, but also user names and e-mail addresses.
The attack seems to have stemmed from the closure of the Ubuntu Forum Saturday evening, following a shocking discovery that the site's homepage had been altered, and that privileged access had somehow been gained to the servers powering the forum. Canonical—the company that handles marketing efforts for Ubuntu—quickly sent word to the membership that, if the password used to protect individual details on the forum was also used to protect anything else (a common if frequently discouraged practice), that password should be changed everywhere, as the password data had been accessed without authorization.
There was some good news out of this, however, as there was no sign that any of this data had been published anywhere, so much of it will likely be a moot point fairly soon anyway. But still, it's clearly a cause for concern, especially for Canonical. Additionally, as the passwords weren't stored in a plain text format, the chances of those particular passwords being spilled is slim. Still, though, it prompted the warning from Canonical, both timely and well-advised.
Reports from Jane Silber, Ubuntu's CEO, suggested that the passwords were protected via MD5 hashing algorithm backed up by per-user cryptographic salt. Some password experts regard this—either with or without salt—as inadequate as it only really slows down the decryption process. This only gets worse should those who take such data notice a potentially valuable target, like those with e-mail addresses issued by major corporations. This has led many to suggest an alternate form of password storage, like bcrypt, scrypt, or a “slow” hashing algorithm, which can extend the amount of time needed to crack a password into a matter of years in some cases, or more.
Interestingly, this is one of the few times in which users have little to do here in order to prevent such attacks, aside from regularly replacing passwords and making said passwords long and robust—some even recommend going so far as to use a password manager and using a string of long, randomly-generated characters—or even advocating the use of the two-factor authentication method in which the results of a password-based login attempt are sent to a pre-defined device for a second authentication.
Still, it's worth noting that Canonical was quick to respond, as indeed all such incidents should be treated. While this issue may not be put to rest for Ubuntu Forum users—just because the information hasn't been published yet doesn't mean it won't be—a quick effort to make said information moot should prove helpful here in the end. The Internet can still be something of a dangerous place, and caution is always called for at the end of the day.
Edited by Ryan Sartor