Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Cloud Security News Technology

Android Forums Hacked: 1 Million User Credentials Stolen 93

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"
This discussion has been archived. No new comments can be posted.

Android Forums Hacked: 1 Million User Credentials Stolen

Comments Filter:
  • lol linux (Score:4, Funny)

    by Anonymous Coward on Thursday July 12, 2012 @05:46PM (#40633151)

    Was it run on... Linux? BWAHAHAHAHAHAH!

    Linux = FAIL.
    Windows or OS X are the only secure solutions.

    • Re: (Score:1, Offtopic)

      by multiben (1916126)
      Oh come on whoever modded this down. Get a sense of humour!
      • I would have modded it insightful. It illustrates the point that every time a security problem happens on a Windows system, the problem is blamed on Windows, even if that's an unfair accusation.
    • by sl4shd0rk (755837)

      I thought you were introducing a new linux distro.

    • No reason to blame Linux, the OS has nothing to do with this problem. It was the administrator who was too stupid to put more security in it's database. So please next time, like always, USE YOUR FUCKING HEAD when you read. It's getting annoying... and why arent you banned. seriously, every time you write, nothing is good. only trolling
  • by Grayhand (2610049) on Thursday July 12, 2012 @05:48PM (#40633169)
    Androids forums had a million users!!!!! Take that Apple!
    • Androids forums had a million users!!!!! Take that Apple!

      To go to StarBucks and work on our screenplays we have to go outside!! Take that, Linux basement dwellers!

    • by tehcyder (746570)

      Androids forums had a million users!!!!! Take that Apple!

      Yeah, where's the forums app on my iToy?

  • by war4peace (1628283) on Thursday July 12, 2012 @05:49PM (#40633187)

    It's the third major hack in two days. Summer break boosts hacking?
    My knee-jerk reaction was that there's a new, unknown exploit out there but from the summary I see there's a "known exploit".
    At least I don't have an account there and now I am sure I never will...

  • by dynamo52 (890601) on Thursday July 12, 2012 @06:01PM (#40633299)
    I use a unique email address and randomly generated password for every single website to which I register. I don't know if I am a member on this forum but even if I am, I'm not going to bother with changing credentials because frankly, if somebody wants to impersonate me on a forum I may have joined simply for advice on a particular product I say go for it.
  • Link to forums... [androidforums.com] (Thanks for making me add more than just the link, /.)
  • Forums (Score:5, Insightful)

    by Archangel Michael (180766) on Thursday July 12, 2012 @06:10PM (#40633399) Journal

    Most websites are "NOT SECURE" enough, so pretending that they are is simply dangerous. Wanna know how secure that website is? The Login is not on a SSL connection. Nuff Said!

    • by Kozz (7764)

      Most websites are "NOT SECURE" enough, so pretending that they are is simply dangerous. Wanna know how secure that website is? The Login is not on a SSL connection. Nuff Said!

      Grabbing credentials going over the wire of a non-SSL site is not at the top of my worries, but having SSL certainly gives people a false sense of security. Any idiot (well, almost) can obtain and install an SSL certificate for their webserver, but that doesn't mean said idiot remembered to lock down phpMyAdmin [google.com] or any other number of stupid things.

    • So, how exactly does SSL help with, say, SQL injection or a buffer overflow?

      Just because a website is using SSL, doesn't mean that the webmaster has a clue what it's doing.

  • by thetoadwarrior (1268702) on Thursday July 12, 2012 @06:29PM (#40633571) Homepage
    Some low budget Android site gets hacked and we feel the need to talk about it? It's a fucking PHP based site. I'm surprised not being hacked in between each restart to recover from memory leaks.
  • by wbr1 (2538558) on Thursday July 12, 2012 @06:32PM (#40633623)
    androidforums.com runs on a cluster of old phones. A simple android root program injected into the php was all that was needed :P
  • by rueger (210566) * on Thursday July 12, 2012 @06:40PM (#40633713) Homepage
    It appears that the change password page [androidforums.com] is Slashdotted - I can't get more than one character into the form before it freezes up.

    Good thing it's still using the old password that I used for forums before the great LinkedIn password crisis!
  • Hacking sites to leak 100 thousands of passwords? This is the fourth recent case I know of.

  • by Galestar (1473827) on Thursday July 12, 2012 @09:04PM (#40634793)
    That is all.
  • Original Source (Score:4, Informative)

    by izomiac (815208) on Thursday July 12, 2012 @09:06PM (#40634819) Homepage
    Here [androidforums.com] is the original source, with more information and less sensationalism. They aren't sure if any user information was downloaded, but are treating this as a full breach. To their credit, they at least hashed the passwords, and chose to inform their userbase rather than sit on it until they figured out if any user data was actually stolen or not.
    • Here [androidforums.com] is the original source, with more information and less sensationalism. They aren't sure if any user information was downloaded, but are treating this as a full breach. To their credit, they at least hashed the passwords, and chose to inform their userbase rather than sit on it until they figured out if any user data was actually stolen or not.

      No, they only informed those who actively frequent their sire, since all they did was post a warning at the top of the forums page. They took no steps beyond that. They didn't bother to send out a mass email to their registered users. I didn't learn about it until yesterday, 3 days after the breach, and that's only because I read it here on slashdot. If I hadn't read about it here, it would probably have been another 5 or 6 days before I learned about it, since that's about how often I frequent their site.

  • Lets just make everything public.

    • I would love it if we could get rid of all this password nonsense and just append pgp signatures to everything. Whole-site encryption (unless it's a private site) would be pointless, you wouldn't need to give them an e-mail account and there would be NOTHING to protect on the websites.

      Note: The above only applies to forum/blog style sites and not private (bank, corporate, etc) sites that hold *confidential* information.
  • by 0ld_d0g (923931) on Friday July 13, 2012 @03:34AM (#40636709)

    They open sourced the passwords? :-P

  • Paranoid Androids?

"Anyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin." -- John Von Neumann

Working...