
Linux Mint forum database compromised, all users urged to change passwords - temp
http://blog.linuxmint.com/?p=3001?
======
0x0
The bigger issue is that the installer .iso images for Linux Mint were
backdoored this weekend:
[http://blog.linuxmint.com/?p=2994](http://blog.linuxmint.com/?p=2994)

------
IncRnd
There is no reason to store an encrypted password outside of proxying to
another system. Where was the key to the stored password? This forum looks
poorly designed from a security perspective.

~~~
berdario
Rather than jumping the gun, it'd be better to assume good faith/do a bit of
research

> "An encrypted copy of your forums password"

Likely is just a non-technical wording for "Your salted and hashed passwords"
(yes, I don't like it either... but keep in mind the audience)

I never used the linuxmint forums, but by looking on the google cache (since
the forums are down)

[http://webcache.googleusercontent.com/search?q=cache:IxvZKvC...](http://webcache.googleusercontent.com/search?q=cache:IxvZKvC6UGEJ:linuxmint.com/forum/+&cd=1&hl=en&ct=clnk&gl=uk&client=ubuntu)

It's obvious that they're using phpbb. Just like wordpress, and other
prominent software written in php it has probably several flaws (security or
otherwise), so I'd still steer clear of it... but it's safe to assume that in
2016 a major open source project has learnt how to properly salt and hash
their passwords...

In fact, they're using bcrypt:

[https://github.com/phpbb/phpbb/tree/3.1.x/phpBB/phpbb/passwo...](https://github.com/phpbb/phpbb/tree/3.1.x/phpBB/phpbb/passwords/driver)

I don't know if this is the default hashing algorithm, and if they're properly
salting them... it's even possible that linuxmint forums are misconfigured
and/or that they're using an old version that defaults on md5.

But even if you use Argon2 or Scrypt, it won't do you any good if you picked

"Password1!"

or

"onetwothreefourfivesix"

as a password... it _will_ be cracked! (and thus the suggestion of changing
passwords that might have been reused on other services is a perfectly good
suggestion)

~~~
CM30
The key isn't just what software they were using for the forum, but what
version of the software. Most sites that get hacked with these scripts are
using woefully outdated versions that have various holes in them, usually
because they don't want to have to replace/rewrite modifications or themes.

Based on the date, they might have been using a fairly old version of phpBB 3.

------
shiftoutbox
Wait there is a typo in the title. I think you misspelled computer .

