XKCD forum, the bulletin board associated with the popular webcomic XKCD, has been taken offline after personal information of more than 562,000 members was exposed online.
According to security researcher Troy Hunt, the breach occurred two months ago (on July 1 2019). The compromised data has been added to breach alerting site Have I Been Pwned (HIBP).
“We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection,” XKCD said in a notice. “It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software.”
The exposed information — which was provided to HIBP by white hat security researcher and data analyst Adam Davies — included usernames, email addresses, hashed passwords, and in some cases an IP address from the time of registration.
The comic created in 2005 by American author Randall Munroe goes by the tagline “a webcomic of romance, sarcasm, math, and language,” and often features mathematical, scientific, and pop-culture in-jokes.
XKCD uses phpBB — a free and open-source bulletin board software built in the PHP programming software — and according to Hunt, the passwords were hashed in MD5 phpBB3 format.
New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned https://t.co/LGaAnj1hUA
— Have I Been Pwned (@haveibeenpwned) September 1, 2019
Hashing is the process of taking a plaintext user-provided password and converting it into a jumble of random characters by adding an optional salt string over several iterations that are then stored inside a database, without exposing the user’s real password. It’s a one-way encryption function.
Although MD5 is still widely used, the password hashing scheme (along with SHA1) is considered “cryptographically broken” unlike stronger, newer alternatives like BCRYPT, SCRYPT, and Argon2 due to increased possibility of collision attacks — wherein two different plaintext messages produce the same hash value.
It’s because of this reason that websites, web, mobile, and other applications must use a strong password hashing system to safeguard user data.
If anything, the incident serves as yet another potent reminder as to why software needs to be constantly kept up-to-date, especially if they are from third-parties.
At this stage, it’s unclear if XKCD was using an older version of phpBB that was vulnerable to a security flaw or the attackers exploited any previously undiscovered flaw in the forum software to extract the data.
Although phpBB migrated to BCRYPT with version 3.1 and later, it’s very much possible early users of the XKCD forum had their passwords hashed using the less secure MD5, which was the standard in phpBB before it was replaced with BCRYPT.
Realistically, this could have been avoided if a hash upgrading scheme was in place to move users from MD5 to BCRYPT upon login.
For now, the same rule of caution applies. In the event you turn out to be among those affected, immediately change your XKCD password, as well as any other accounts on which you used the same (or similar) password.
Get the TNW newsletter
Get the most important tech news in your inbox each week.