MacRumors attackers: 860k password hack was 'friendly'

News
By Kurt Wallace
published

Hacker promises no accounts will be compromised, but notes weaknesses in password protection.

Password and username box

Hackers who breached Apple fan site MacRumors and made off with 860,000 passwords have said they were not being malicious but "friendly".

In a post on a MacRumors forum, a post from user Lol' explained the passwords would be easy to crack, but they would not do so.

We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place.

"We're not logging in to your Gmails, Apple accounts, or even your Yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place," Lol said.

"The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."

Lol noted 860,106 passwords were compromised, 488,429 of which were protected with older, smaller salting protections, making them slightly easier to crack with the right tools.

Salts see pseudo-random strings added to the plain text of passwords, before they are passed through a one-way hashing algorithm to turn the login credential into garbled information. If unique to each password, they force crackers to address each password individually rather than do a tranche in one go.

Despite the added protections around certain logins, it appeared Lol would have little trouble breaking them. "We're not mass cracking' the hashes. It doesn't take long whatsoever to run a hash through Hashcat with a few dictionaries and salts, and get results," Lol said.

Cracking tools run password guesses through the relevant hashing algorithm to see what the output is. If the guess matches with the password, the hashed result will look the same and the hacker has the login detail they are after. That's why creating a unique password remains so important for user security.

Editorial director Arnold Kim noted MacRumors had used the standard MD5 hash and salt, and admitted they were "not that strong, so assume that your password can be determined with time".

Lol said the initial breach was not down to a weakness in vBulletin, the forum software powering MacRumors, but the "fault lied within a single moderator".

Kurt Wallace