[BreachExchange] XKCD forum breach exposes details from over 560, 000 user accounts

Destry Winant destry at riskbasedsecurity.com
Thu Sep 5 10:22:23 EDT 2019


XKCD, the sarcastic webcomic revered by science and tech geeks, is now
the butt of someone else's joke. Hackers breached the forum of the
14-year old site, stealing over 560,000 usernames, emails, IP
addresses and hashed passwords. Security researcher Troy Hunt, who
owns the data breach website Have I Been Pwned, alerted the site's
administrators over the weekend. Hunt was originally tipped off about
the breach by white hat hacker Adam Davies.

XKCD promptly took down its forum, and posted a short message warning
users to change their passwords -- as well as any similar passwords
for other accounts. "The xkcd forums are currently offline. We've been
alerted that portions of the PHPBB user table from our forums showed
up in a leaked data collection. The data includes usernames, email
addresses, salted, hashed passwords, and in some cases an IP address
from the time of registration. We've taken the forums offline until we
can go over them and make sure they're secure. If you're an
echochamber.me/xkcd forums user, you should immediately change your
password for any other accounts on which you used the same or a
similar password," wrote XKCD.

Hunt noted that the webcomic's forum uses phpBB, a free and
open-source bulletin board widely used across the web, and that 58
percent of the IP addresses stolen already appeared on HIBP's
database. As ThreatPostexplained, phpBB and other DIY platforms are a
popular choice for fan forums within the gaming community and are
often vulnerable to attacks due to being poorly maintained. Still,
it's unclear whether XKCD's forum was running an older version of
phpBB. Engadget has reached out to XKCD for comment, and will update
if we hear back.

More information about the BreachExchange mailing list