‘Avast forum was hacked months ago due to password recycling’
Hackers would have easily invaded the admin area of the Avast forum because one of the admins is believed to have used his password elsewhere as well. So say developers of Simple Machines Forum, open source forum software that was also used by Avast.
In late May, Avast, an antivirus software company, took its forum offline after hackers entered the admin section of the forum software. The as yet unknown attackers are said to have stolen the data of approximately 400,000 people. Avast announced its move to more secure forum software.
At the time of the hack, Avast was using Simple Machines Forum, open source forum software based on PHP and MySQL. In a response, the developers have now distanced themselves from Avast’s suggestion that their forum software is insecure. According to their own investigation, in which the developers had access to Avast server logs as of late May, no evidence of an exploit or other common hacking method was found, and thus no vulnerability in Simple Machines Forum’s code appears to have been exploited.
On the contrary, the developers conclude that it is very likely that one of the admins of the Avast forum has used his password in various places and that it was stolen somewhere. The hackers then had childishly easy access to the management part. Furthermore, there would be strong indications that the attackers had already penetrated the Avast forum months ago. In doing so, the developers point to a number of modified files on the server.
The developers also partly blame themselves. For example, they admit that once a hacker has penetrated the admin section of the forum, he has powerful tools at his disposal with the help of tools such as the Theme Editor and the Package Manager to place malware on the site, for example. Simple Machines Forum states, however, that it has deliberately chosen this format, because it wants to keep the management of a forum as simple as possible.
According to Simple Machines Forum, this public statement was chosen because Avast would have refused to sufficiently investigate the hack of its forum in collaboration with the developers of the software. In addition, the developers again warn that Internet users should never reuse a password on other websites, a phenomenon known as “password recycling”. It also points out how to properly set file permissions on Linux and Unix systems, making it more difficult for an attacker to manipulate files.