The Ubuntu Forum website has been taken down after attackers defaced the homepage and accessed the database containing details of around 1,820,000 users.
“Unfortunately, the attackers have gotten every user's local username, password and email address from the Ubuntu Forums database,” reads a holding message on the downed site.
There is also no sign that the compromised details have been published online.
However, members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services.
“We believe the issue is limited to the Ubuntu Forums and no other Ubuntu or Canonical site or service is affected,” read a blog post by Canonical, the company that markets Ubuntu, a computing platform based on the Linux operating system.
Members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services
The company said it is investigating how the attackers were able to gain access and are working with the software providers to address that issue. Canonical said it will provide as much detail as possible once the investigation has been concluded.
The company said the Ubuntu Forum site will remain down until it is safe for it to be restored.
Inadequate password protection
The Ubuntu Forum passwords were cryptographically scrambled using the MD5 hashing algorithm, along with a per-user cryptographic salt, according to Ars Technica.
Security experts consider MD5, with or without salt, to be an inadequate means of protecting stored passwords, the publication noted.
While per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little to nothing to delay the cracking of small numbers of hashes.
Read more on passwords
- Protecting against modern password cracking
- Drupal resets passwords after hacker breach
- Download: Protecting against modern password cracking
- Can a password blacklist improve general enterprise password security?
- Google proposes alternative to passwords
- UK banks hit by password bypassing malware, says Trusteer
- IT industry group releases password-killing standard
That means the scheme used by Canonical does not prevent the decoding of individual hashes that may be targeted.
Security expert Paul Ducklin of security firm Sophos recommended that any organisation storing passwords in a database should use a strong salt-and-hash system such as bcrypt, scrypt or PBKDF2.
These systems make it much harder and slower for attackers to go through their password dictionary, he wrote in a blog post.