Potentially hashed passwords captured in phpBB hack

In an attack on the website of the popular forum software phpBB, the attackers were able to steal hashed passwords. phpBB has announced that. The forum software previously advised users of its website to change passwords as a precaution.

News about the hack was already out on Monday. According to phpBB, it now appears that the attackers have gained access to the databases of phpBB.com and Area51, phpBB’s development environment. This means that encrypted login data may have been stolen. The attackers also allegedly installed a sniffer to log all logins between December 12 and 15, although phpBB’s hashing tool would make it difficult to retrieve plaintext passwords.

PhpBB has used bcrypt with factor algorithm to encrypt the passwords. The passwords present in the database were also provided with a salt, which prevents them from being retrieved via rainbow tables. It’s not clear if that also applies to the sniffed passwords. PhpBB advises users who also use their password on phpBB.com or Area51 elsewhere to change their password.

The attackers did not tamper with phpBB’s installation files, the forum software’s makers promise. In addition, the attackers did not get in through a leak in the forum software, but managed to retrieve the login details of a phpBB team member. PhpBB promises to come up with more clarity soon about the measures taken after the hack. At the time of writing, the phpBB site is still offline.