Ubuntu Forum Security Breach 108
pinkstuff writes "There has been a major security breach of the Ubuntu Forums database. Every user's email address and salted password has been taken. From the forum home page: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."
Re:The hashes are salted (BUT NOT PROPERLY) (Score:5, Informative)
They use vBulletin.. the passwords are salted.. but it's just md5(salt+md5(password)). The salt is in the db, and it's just 2 md5 hashes -- NO stretching, PBKDF2, bcrypt, or anything else. It's literally one step up from plaintext. You can recover those passwords in very little time. You SHOULD assume the passwords are compromised.
http://www.vbulletin.org/forum/showthread.php?t=178091 [vbulletin.org]
Re:Don't worry.... (Score:5, Informative)
The Ubuntu forums run on vBulletin, a proprietary solution. Nothing open-source about it.