A popular web comic informed patrons of its online forum that a data breach leaked sensitive information of more than a half-million users.
The online comic, called XKCD — which ironically comments on science and tech culture, including web security — disclosed the breach over the weekend after being alerted by researchers from the data breach website, Have I Been Pwned.
Have I Been Pwned was initially made aware of the hack by security researcher Adam Davies.
Forums for the comic have since been taken offline as administrators of the site look to secure it once again.
Hackers have stolen sensitive data from 560,000 patrons of an online forum related to the web comic XKCD which comments on science and tech culture.
‘The xkcd forums are currently offline. We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration,’ wrote administrators wrote according to a report from Vice.
‘We’ve taken the forums offline until we can go over them and make sure they’re secure. If you’re an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password.’
The attack, which happened in July, apparently exploited an open-source bulletin software used commonly in online forums.
Hackers were able to steal hashed passwords encrypted using the MD5 algorithm which converts a plaintext password into a random assortment of letters and numbers.
While the passwords were encrypted, MD5 has long been considered to be an insufficient method of safeguarding sensitive information and can be fairly easily decoded using cracking software.
It’s possible that by upgrading the sites’ hashing algorithm that administrators could have helped to blockade its patrons against the hacks.
According to Have I Been Pwned, many of the IP addresses stolen in the hack — an overwhelming 58 percent — were already found on the site’s running list of compromised IP’s which is maintained by the site.
Haveibeenpwned.com allows users to input their email addresses into their database and cross-reference the address against a list of hacks affecting various sites and platforms.
HOW TO CHECK IF YOUR EMAIL ADDRESS IS COMPROMISED
Have I Been Pwned?
Cybersecurity expert and Microsoft regional director Tory Hunt runs ‘Have I Been Pwned’.
The website lets you check whether your email has been compromised as part of any of the data breaches that have happened.
If your email address pops up you should change your password.
To check if your password may have been exposed in a previous data breach, go to the site’s homepage and enter your email address.
The search tool will check it against the details of historical data breaches that made this information publicly visible.
If your password does pop up, you’re likely at a greater risk of being exposed to hack attacks, fraud and other cybercrimes.
Mr Hunt built the site to help people check whether or not the password they’d like to use was on a list of known breached passwords.
The site does not store your password next to any personally identifiable data and every password is encrypted
Other Safety Tips
Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use.
Next, enable two-factor authentication. Lastly, keep abreast of any breaches