Ubuntu Forums Hack Exposes 1.8m Accounts

Ubuntuforums.org, the official community for Canonical’s Linux-based OS, suffered a security breach over the weekend, as attackers identifying themselves as ‘@sputnik1_’ defaced the website and gained access to all user names, emails and hashed passwords.

Ubuntu is the most popular Linux-based desktop OS in the world, and the fastest growing open source OS. Earlier this year, Canonical announced Ubuntu versions for smartphones and tablets, with the first handsets running the platform due to ship in October.

The company has apologised for the incident, and advised users to change their passwords as a precautionary measure. At the time of writing, the forum remains inaccessible while the Canonical team investigates the attack. No other Ubuntu or Canonical services were affected.

“You dun goofed”

Canonical was able to take the forum website down just four minutes after receiving reports of defacement. Even though the passwords were hashed and ‘salted’, “good practice dictates that users should assume the passwords have been accessed and change them,” wrote Jane Silber, CEO of Canonical.

Silber’s warning might have something to do with the fact that the passwords were encrypted using the MD5 algorithm, which is seen by many security experts as outdated. Canonical will also personally notify all users whose details have been compromised.

“We are continuing to investigate exactly how the attackers were able to gain access and are working with the software providers to address that issue. Once the investigation is concluded we will provide as much detail as we safely can,” wrote Silber on the Canonical blog.

So far, none of the information stolen from Ubuntu Forums has surfaced online. ‘@sputnik1’ seemingly points to a Twitter account, which has now been suspended. While the forum remains down, Silber encouraged Ubuntu users to direct their queries to the Ubuntu support communities on Reddit and Google+.

How much do you know about Linux? Take our quiz!