IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

MacRumors attackers: 860k password hack was 'friendly'

Hacker promises no accounts will be compromised, but notes weaknesses in password protection.

Password and username box

Hackers who breached Apple fan site MacRumors and made off with 860,000 passwords have said they were not being malicious but "friendly".

In a post on a MacRumors forum, a post from user Lol' explained the passwords would be easy to crack, but they would not do so.

"We're not logging in to your Gmails, Apple accounts, or even your Yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on MacRumors when it was your own fault for reusing passwords in the first place," Lol said.

"The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."

Lol noted 860,106 passwords were compromised, 488,429 of which were protected with older, smaller salting protections, making them slightly easier to crack with the right tools.

Salts see pseudo-random strings added to the plain text of passwords, before they are passed through a one-way hashing algorithm to turn the login credential into garbled information. If unique to each password, they force crackers to address each password individually rather than do a tranche in one go.

Despite the added protections around certain logins, it appeared Lol would have little trouble breaking them. "We're not mass cracking' the hashes. It doesn't take long whatsoever to run a hash through Hashcat with a few dictionaries and salts, and get results," Lol said.

Cracking tools run password guesses through the relevant hashing algorithm to see what the output is. If the guess matches with the password, the hashed result will look the same and the hacker has the login detail they are after. That's why creating a unique password remains so important for user security.

Editorial director Arnold Kim noted MacRumors had used the standard MD5 hash and salt, and admitted they were "not that strong, so assume that your password can be determined with time".

Lol said the initial breach was not down to a weakness in vBulletin, the forum software powering MacRumors, but the "fault lied within a single moderator".

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022
HackerOne employee fired for using position to steal bug bounties
Security

HackerOne employee fired for using position to steal bug bounties

4 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022