

Android Forums hacked: 1 million user credentials stolen - Empro
http://www.zdnet.com/android-forums-hacked-1-million-user-credentials-stolen-7000000817/

======
vibrunazo
Worth noting this has nothing to do with any official Android website, nor is
it in any way related to google. It's just a community website made by android
fans for android fans.

~~~
degenerate
The HN title should be changed to Phandroid to minimize confusion. Hackers
will be keen enough to infer what the name means. It will also stop any rumors
from people that just read headlines and think Google got hacked.

------
mcyger
What's to be learned from this?

Server setting needed hardening?

Software needed updating and was vulnerable?

vBulletin is a well used and documented lice of code. I'd love to know what
the security experts here think.

~~~
voltagex_
Seems to me that PHP bulletin boards are always a (easy?) target.

~~~
iamandrus
Don't use this as a reason to diss PHP. Almost any target, no matter what
language, is vulnerable.

------
joekrill
In all fairness, they appear to have handled this incredibly well and have
been very informative. Which is much more than can be said for the breaches in
most other cases. And at least the passwords were hashed (although how well,
they don't really say -- I guess that would be part of the vBulletin package?)

------
cluda01
What's the significance of this? Upon cursory glance it seems like a community
site for android developers. Am I missing something?

~~~
ajross
It's a big site with, no doubt, a gold mine of email/password combinations to
try vs. other services. Maybe the password storage was secure, but probably
not. Maybe a few of those users were using secure one-off passwords, but
realistically most weren't.

~~~
arn
it's a vbulletin site, so their standard hashing
(<http://www.vbulletin.org/forum/showthread.php?t=178091>) which looks to be
md5 (md5 (pass) + salt).

~~~
ajross
Two iterations of the hash isn't what you'd call "secure". But at least it's
salted.

~~~
akaBruce
The hash iterations are due to vBulletin's life span and being a product. They
had md5 hashed passwords. Then they realized they have to salt them. So
instead of adding the the salt to the password then hashing it, they decided
to add the salt to the hash so they could salt every password without having
to wait to get the original password.

~~~
ajross
The point was more that two iterations of MD5 isn't nearly slow enough. This
site claims 5.6G/s on an ATI 5970 (~$400US) card:
<http://www.golubev.com/hashgpu.htm>

So for a 2-iteration password cracker, that's enough to search almost a 48 bit
space of passwords in a day. That's enough to check every possible ASCII
password of 7 characters or less, and a good heuristic search will probably
get you much more than that.

------
Xavura
This has been happening a lot lately, wasn't there something with Yahoo! just
a few days ago? And I recall one or two others not long since.

~~~
nivla
The Yahoo one posted yesterday turned out to be a fake claim.

~~~
cdh
It was definitely not fake; I know a few people who were on the leaked Yahoo
Voices list.

------
vitriolix
Wow, the comment section over at ZDNet is embarrassing

------
da_n
But isn't Android open?

(sorry, that was terrible).

