The forums of popular webcomic xkcd have been hit by a data breach, exposing the details of more than 500,000 members. The breach is alleged to have been the result of a flaw in the open-source phpBB message board software.
The breach, first reported on Sunday by Have I Been Pwned, is said to have occurred at some point in August and included usernames, email addresses, hashed passwords, and IP addresses.
Following the disclosure, the forum's administrators have taken the message board down in order to confirm their security. Affected users were also notified via email.
"We've been alerted that portions of the phpBB user table from our forums showed up in a leaked data collection," a notification on the forum's main page read. "It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software."
It is unclear whether the vulnerability in phpBB, referenced by xkcd's breach notification, was already patched or whether it was a previously undiscovered flaw. The records appear to mostly be hashed using the bCrypt algorithm, although some accounts are still encrypted via the older, less secure md5 encryption method. It has been suggested that these are old, unused accounts which pre-date the forum's shift to bCrypt encryption.
"We've taken the forums offline until we can go over them and make sure they're secure. If you're an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password."
xkcd - the webcomic which spawned the forums - has been running for over a decade, and has built up a cult following among techies and internet communities thanks to its focus on STEM fields. Ironically, many of its strips deal directly with password security, including one well-known example on the perceived strength of passwords.
Image from xkcd.com
