MacRumors forums breach exposes 860,000 accounts

A popular Mac news website, MacRumors, reported that their forums were compromised on Tuesday. The attack led to the exposure of some 860,000 accounts, and is said to be similar to the one that took place on the Ubuntu forums earlier this summer.

[Stolen Adobe account data goes public, Photoshop source code breached]

In a statement to users, Arnold Kim, the Editorial Director for, said that the breach appeared to be similar to the one that happened on the Ubuntu Forums in late July. However, he explained, administrators detected the breach as it was happening.

"Yesterday, we were hacked. We detected it relatively quickly, but are still going through the logs with a 3rd party security company," Kim said in a statement.

"We restored the forum from backups from before the incident. I'll fill you in more as we get more information back, as it's still early. But it's safest to assume at least part of the user table was taken, which means usernames, email addresses, and hashed passwords."

As mentioned, the MacRumors breach appears to be similar to the one suffered by the Ubuntu forums in late July. In both cases, an attacker compromised a moderator's account, and used that access to gain additional permissions, allowing them to target the user table. What isn't known, or at least what wasn't made public by MacRumors, is how the privilege elevation happened in their situation.

During the Ubuntu incident, the attacker used Cross-Site Scripting (XSS) in order to gain access to an administrators account. They were able to do so by using the compromised moderator credentials to create an announcement with embedded XSS code, and steal an administrator's credentials. As an administrator, the attacker was able to use the hook feature available to administrators in vBulletin (the forum platform used by Ubuntu and MacRumors) to execute PHP code, which finalized the attack.

"The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the user table to a file on disk which they then downloaded," Canonical explained at the time.

[The 15 worst data security breaches of the 21st Century]

Again, MacRumors hasn't disclosed the full details of their particular incident, but even if the attack they suffered happened exactly the same way the Ubuntu attack did, nothing changes for the users.

"In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known," an announcement on the forum explained.

In the breach announcement, MacRumors encouraged users within the community to change their passwords, especially if they were recycled and used on other websites. Based on some of the comments left on the MacRumors forum, this is solid advice, as many of them admit to reusing their passwords for other services, including Apple IDs. In order to keep password reuse to a minimum, MacRumors has recommended the use of password managers and such as 1Password or iCloud keychain.

Email notifications are pending, and additional details on the breach are expected as clean-up is completed. Updated information will be posted to the MacRumors website, and the security thread on the forums.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsAppleUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts