Android Forums Hacked: 1 Million User Credentials Stolen

An anonymous reader writes "Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"

lol linux

[Anonymous Coward]

Was it run on... Linux? BWAHAHAHAHAHAH!

Linux = FAIL.
Windows or OS X are the only secure solutions.

Re:

[multiben]

Oh come on whoever modded this down. Get a sense of humour!

Re:lol linux

[multiben]

You're right. I'm sorry, now back to work everyone! These are serious times. Linux is the best operating system that has every existed and nothing will ever be better than it. It is perfect and nobody should ever laugh at it. You know why? Because it's not funny! That's why. In fact, nothing is funny. Somebody told me a joke once back in 1972 and frankly I just didn't see the point. It distracted me from being serious.

Re:

[multiben]

I know, I am totally agreeing with you.

Re:

[ColdWetDog]

Huh?

Whatever the hell he's going on about, he sure is upset with it.

Re:

[Anonymous Coward]

Hey, stop speaking like a '00s guy. Here in the '10s we shortened that to a concise "he mad".

Re:

[Kalriath]

He's either complaining about Windows Phone, or complaining about iOS. Presumably he needs to get out more.

Re:

[Anonymous Coward]

It wasn't funny to you, probably because you're a Lintard. To some though, it was funny. You're not funny at all. In fact, you're rather sad.

Yeah sure. It's like George Carlin's rules of the road. Anybody who drives slower than you is STUPID. Anybody who drives faster than you is CRAZY.

It's like that with insecure people and humor too. Anybody who didn't think the joke was funny was obviously too stupid to get it. Oh, if only they were graced with your wit and your sense of humor!

Clearly they are some kind of *tard. Oh was it about Linux? Yes, Lintard. That's what they are.

Course the difference between a comedian and a +5 Funny

Re:

[broggyr]

Anybody who drives faster than you is CRAZY.

Anybody who drives faster than you is a MANIAC!

FTFY

Re:

[Tourney3p0]

If you thought that was funny, you're going to *love* this new comedian Dane Cook that's making the rounds. Not sure what operating system he uses, though.

Re:

[Flere Imsaho]

People laughed when I said I wanted to be a comedian. Well, they're not laughing now.

Re:

[MobileTatsu-NJG]

It wasn't funny. Damn sure wasn't insightful or informative. Maybe inciteful.

It was both funny and insightful, you just haven't accepted the way it applies to you.

Re:

[Jawnn]

It wasn't funny.

I disagree. I'm certain that scores of 12-year-olds found it hilarious.

Re:

[AmberBlackCat]

I would have modded it insightful. It illustrates the point that every time a security problem happens on a Windows system, the problem is blamed on Windows, even if that's an unfair accusation.

Re:

[sl4shd0rk]

I thought you were introducing a new linux distro.

Re:

[fluffythedestroyer]

No reason to blame Linux, the OS has nothing to do with this problem. It was the administrator who was too stupid to put more security in it's database. So please next time, like always, USE YOUR FUCKING HEAD when you read. It's getting annoying... and why arent you banned. seriously, every time you write, nothing is good. only trolling

Woo Hoo, big news!

[Grayhand]

Androids forums had a million users!!!!! Take that Apple!

Re:

[BronsCon]

There's really not, go look at some of my comments pointing out Apples recent fuckups (not anti-Apple, just pointing out where they went wrong and pleading for improvement). Those mostly were modded down, just like the Linux joke.

Re:

[MobileTatsu-NJG]

Androids forums had a million users!!!!! Take that Apple!

To go to StarBucks and work on our screenplays we have to go outside!! Take that, Linux basement dwellers!

Re:

[tehcyder]

Androids forums had a million users!!!!! Take that Apple!

Yeah, where's the forums app on my iToy?

Somebody's rushing...

[war4peace]

It's the third major hack in two days. Summer break boosts hacking?
My knee-jerk reaction was that there's a new, unknown exploit out there but from the summary I see there's a "known exploit".
At least I don't have an account there and now I am sure I never will...

Re:

[SomePgmr]

At least this site hashed the users' passwords.

Re:

[zaphod777]

hashed with a random salt, although this can still be brute forced it is just much more expensive for all passwords not just the complex ones.

Re:

[Anubis IV]

This serves as yet another reminder of the value of using a password manager that can generate unique passwords for each and every site and then store them securely. That way, when the inevitable happens, as it did here, only that one password is compromised, and it comes at no hassle to you.

I've been using 1Password [agilebits.com] for years, but a number of folks here seem to like KeePass [keepass.info], and I'm sure a few kind folks will reply with more suggestions below.

Re:

[Anonymous Coward]

i'd love to use keepass, but i am too fucking stupid. i am going to try again right now. fucking complicated shit.

Re:

[Anubis IV]

That sounds less secure to me, since a simple rubber hose and some pliers applied to you can result in the recovery of those passwords. In contrast, I don't even know the vast majority of mine, offering me plausible deniability. You'd have to not only gain access to me, but also my encrypted database of passwords in order to get access to mine (and since the company behind 1Password has demonstrated a willingness to update and improve their encryption in the past, I expect that they'll continue to keep up w

Re:

[Serious Callers Only]

That's great, but who remembers the one password to your encrypted database of passwords?

Re:

[Anubis IV]

I do, of course, but as I said, they'd have to grab both me and the database in order to use the rubber hose method, whereas AC's technique requires no database, since the palace he's talking about is a memory retention technique, meaning that grabbing him would mean grabbing the database at the same time. I'm not suggesting mine is immune to rubber-hosing, just that it requires one more step to be possible, making it a bit more secure.

Re:

[tehcyder]

That sounds less secure to me, since a simple rubber hose and some pliers applied to you can result in the recovery of those passwords. In contrast, I don't even know the vast majority of mine, offering me plausible deniability.

"Plausible deniability" is a piece of legal weaselling, not a way of stopping someone slicing your balls off with a cheesewire..

Re:

[Anubis IV]

Sure...but it keeps my passwords secure! ;)

Re:

[KernelMuncher]

The best passwords are those hiding in plain sight. I like to keep a few pictures of things at my desk that instantly remind me of the password. For example it could be a picture of a big fat guy for password 300#FatGuy. That way you're unlikely to forget and still nobody would ever guess the actual password.

Re:

[Ded Bob]

I just wanted to mention that KeePassX [keepassx.org] runs on UNIX systems.

Re:

[AmbushBug]

Yep, and KeePassDroid [google.com] on Android.

Who cares?

[dynamo52]

I use a unique email address and randomly generated password for every single website to which I register. I don't know if I am a member on this forum but even if I am, I'm not going to bother with changing credentials because frankly, if somebody wants to impersonate me on a forum I may have joined simply for advice on a particular product I say go for it.

Re:

[plutoXL]

Well, apparently you don't care. But I am sure many other people do care.

Link...

[uniquename72]

Link to forums... [androidforums.com] (Thanks for making me add more than just the link, /.)

Forums

[Archangel Michael]

Most websites are "NOT SECURE" enough, so pretending that they are is simply dangerous. Wanna know how secure that website is? The Login is not on a SSL connection. Nuff Said!

Re:

[Kozz]

Most websites are "NOT SECURE" enough, so pretending that they are is simply dangerous. Wanna know how secure that website is? The Login is not on a SSL connection. Nuff Said!

Grabbing credentials going over the wire of a non-SSL site is not at the top of my worries, but having SSL certainly gives people a false sense of security. Any idiot (well, almost) can obtain and install an SSL certificate for their webserver, but that doesn't mean said idiot remembered to lock down phpMyAdmin [google.com] or any other number of stupid things.

Re:

[Robert Zenz]

So, how exactly does SSL help with, say, SQL injection or a buffer overflow?

Just because a website is using SSL, doesn't mean that the webmaster has a clue what it's doing.

Re:

[BronsCon]

You hear that, Slashdot? Now you know how to get rid of this guy!

Re:

[Setsquare]

Shouldn't forums just need a digital signature?

This is news?

[thetoadwarrior]

Some low budget Android site gets hacked and we feel the need to talk about it? It's a fucking PHP based site. I'm surprised not being hacked in between each restart to recover from memory leaks.

The known exploit

[wbr1]

androidforums.com runs on a cluster of old phones. A simple android root program injected into the php was all that was needed :P

And, To Fulfil the Irony....

[rueger]

It appears that the change password page [androidforums.com] is Slashdotted - I can't get more than one character into the form before it freezes up.

Good thing it's still using the old password that I used for forums before the great LinkedIn password crisis!

Re:

[cerberusss]

It appears that the change password page [androidforums.com] is Slashdotted

It's the password that I only use for all my forum accounts, so I don't really care if it's hacked or not. Should I post stupid stuff, then it's just the silly Android Forums hacker.

Re:And, To Fulfil the Irony....

[cerberusss]

It's the password that I only use for all my forum accounts, so I don't really care if it's hacked or not. Should I post stupid stuff, then it's just the silly Android Forums hacker.

HAHAHA DISREGARD THAT, I SUCK COCKS

Re:

[coinreturn]

+5, Funny as hell

Is this the new hype?

[Lord Lode]

Hacking sites to leak 100 thousands of passwords? This is the fourth recent case I know of.

Please use OpenID

[Galestar]

That is all.

Original Source

[izomiac]

Here [androidforums.com] is the original source, with more information and less sensationalism. They aren't sure if any user information was downloaded, but are treating this as a full breach. To their credit, they at least hashed the passwords, and chose to inform their userbase rather than sit on it until they figured out if any user data was actually stolen or not.

Re:

[DaScribbler]

Here [androidforums.com] is the original source, with more information and less sensationalism. They aren't sure if any user information was downloaded, but are treating this as a full breach. To their credit, they at least hashed the passwords, and chose to inform their userbase rather than sit on it until they figured out if any user data was actually stolen or not.

No, they only informed those who actively frequent their sire, since all they did was post a warning at the top of the forums page. They took no steps beyond that. They didn't bother to send out a mass email to their registered users. I didn't learn about it until yesterday, 3 days after the breach, and that's only because I read it here on slashdot. If I hadn't read about it here, it would probably have been another 5 or 6 days before I learned about it, since that's about how often I frequent their site.

Fuck It

[Ryanrule]

Lets just make everything public.

Re:

[DarwinSurvivor]

I would love it if we could get rid of all this password nonsense and just append pgp signatures to everything. Whole-site encryption (unless it's a private site) would be pointless, you wouldn't need to give them an e-mail account and there would be NOTHING to protect on the websites.

Note: The above only applies to forum/blog style sites and not private (bank, corporate, etc) sites that hold *confidential* information.

Does this mean..

[0ld_d0g]

They open sourced the passwords? :-P

Will they become...

[juanfgs]

Paranoid Androids?