[BreachExchange] OpenWRT reports data breach after hacker gained access to forum admin account

Tue Jan 19 10:41:12 EST 2021

https://www.zdnet.com/article/openwrt-reports-data-breach-after-hacker-gained-access-to-forum-admin-account/

The maintainers of OpenWRT, an open-source project that provides free
and customizable firmware for home routers, have disclosed a security
breach that took place over the weekend.

According to a message posted on the project's forum and distributed
via multiple Linux and FOSS-themed mailing lists, the security breach
took place on Saturday, January 16, around 16:00 GMT, after a hacker
accessed the account of a forum administrator.

"It is not known how the account was accessed: the account had a good
password, but did not have two-factor authentication enabled," the
message reads.

The OpenWRT team said that while the attacker was not able to download
a full copy of its database, the attack did download a list of forum
users, which included personal details such as forum usernames and
email addresses.

No passwords were included in the downloaded data, but citing an
"abundance of caution," OpenWRT administrators have reset all forum
user passwords and API keys.

The project is now informing users that the next time they log into
their accounts, they'll need to go through the password recovery
procedure. This process is also mandatory for those using OAuth
tokens, who will need to re-sync their accounts.

GREAT PHISHING OPPORTUNITY FOR SUPPLY CHAIN ATTACKS

Furthermore, OpenWRT admins are also warning forum users that they
also might see an increase in email phishing attempts.

While some might argue about what's so important about an OpenWRT
forum account, the portal is often frequented by developers working
for companies that sell OpenWRT-compatible routers or software.

Compromising a forum account on OpenWRT could be the first step
towards escalating access into the internal networks of many hardware
and software development companies.

As a result, the OpenWRT team is urging forum users not to click any
links inside emails they receive claiming to come from its domain.
Instead, users should type the forum's URL (forum.openwrt.org) in
their browser address bar by hand and access it this way instead.

OpenWRT admins said that only forum user data appears to have been
compromised for now. The OpenWRT wiki, which provides official
download links and information about how users could install the
firmware on various proprietary router models, was not breached, based
on current evidence.