The group that hacked MacRumors Forums and made off with password data for more than 860,000 users has no plans to use it to mass compromise the accounts of people who use the same login credentials on other sites.
The pledge was made in this post by a user who supplied confidential password details that weren’t publicly available. Among other things, that information included partial cryptographic hash corresponding to the password of MacRumors Editorial Director Arnold Kim, as well as the cryptographic salt used to increase the time required to crack it. Kim told Ars that those and other confidential details included in the post were “legit.” The user went on to defend the hack as a benign undertaking designed to sharpen the skills of both the hacker and the MacRumors administrators.
“We’re not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason),” the user known simply as Lol wrote. “We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”
He continued: “Consider the ‘malicious’ attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.”
In subsequent posts here and here, Lol expanded on the thinking behind the hack. “Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé.” The MacRumors breach, Lol added, was taken on “to test myself. I never defaced the site, I never bragged about it anywhere, I just got in and got out.”
Lol went on to counter speculation that the hack was the result of exploiting one or more vulnerabilities in VBulletin, the
open-source fee-based software that powered the MacRumors forums.
“The fault lied [sic] within a single moderator,” the post stated. “All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about.”
Lol confirmed that the MacRumors password hashes totaled 860,106. Interestingly, more than half of them contained a cryptographic salt that had a length of just three “bits,” although I’m guessing Lol really meant “bytes,” which would mean each one contained just three characters.
Salts are pseudo-random strings that are appended to the plain text of passwords before they are run through a one-way hash function. Salting is designed to increase the time it takes to crack large numbers of hashes by requiring the attacker to make guesses against each hash individually instead of all at once. (Salting also prevents cracking through the use of rainbow tables, although in the age of video cards and efficient dictionary attacks made possible by Hashcat and other free cracking programs, few people use that method anymore.) To be truly effective, salts must be unique for every hash, something that generally isn’t possible with a three-byte salt.
“Anyone that’d been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work [to] do, it’s like to have many with a 3 bit salt),” Lol wrote. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts and get results.”
While the confidential details included in the post proves the writer has insider knowledge into the hack, readers are advised to maintain a healthy skepticism of all remaining claims. For instance, counter to Lol’s claims, there’s no way right now to be sure the hack wasn’t executed by exploiting a VBulletin vulnerability. And of course, MacRumors account holders shouldn’t take the word of an admitted trespasser that their accounts on other sites won’t be accessed.