The popular xkcd webcomic has taken its associated forum offline a after personal information of more than 562,000 members were determined to have been publicly leaked. According to Troy Hunt a security researcher, the breach occurred on July 1 2019. The breach is allegedly the result of flaws in the open-source message board CMS phpBB.
In a notice xkcd said: “We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection […]It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software.”
It is not clear if the vulnerability in phpBB, referenced in xkcd’s breach notice, has already been patched or if it was a previously unknown flaw.
xkcd – the webcomic that gave rise to the now hacked forums – has been online since 2005, and has a cult following in some circles. Many of the comic strips center around security, my personal favorite centers around encryption.
The records appear to mostly be hashed using the bCrypt algorithm, although some accounts are still encrypted via the older, less secure md5 encryption method. It has been suggested that these are old, unused accounts which pre-date the forum’s shift to bCrypt encryption.
Reportedly most records from the xkcd leak were hashed using the bCrypt algorithm, however some accounts were encrypted with the older, and less secure, md5 encryption. These may be old, unused accounts before the forum moved its encryption to bCrypt.
The encryption uses a hashing process turning plaintext passwords into a jumble of random characters that are then stored in a database. This one-way encryption prevents exposing a user’s real password in the event of a data breach like this.
While any data breach is an occasion for caution, according to Have I Been Pwned the exposed information is only usernames, email addresses, the hashed passwords, and some IP addresses from the time of user registration.
xkcd, is pretty tame in terms of hacked data when compared with MoviePass or even the Hostinger data breaches from August. MoviePass, had failed to even encrypt data, and failed to take a plane text database containing at least some users credit card information offline, until they were asked about it by TechCrunch.
Option Way is a French travel booking site that according to researchers has leaked 100GB of data, including names, email, addresses, phone numbers, and travel details. All this leaked from a database that was largely unencrypted. The Option Way database also contained details of employees and credit cards.
At this point, a bulletin board associated with a stick figure webcomic, is, even after a breach, showing up companies who should have taken far more precautions with the security of user data.
Header Image: “Show Up” by Shine Visual Lab