In an attack on the website of the popular forum software phpBB have the attackers hashed passwords can city. That has phpBB published. Previously advised by the forum software, users of its website as a precaution to change passwords.
News of the hack came on Monday already to the outside. According to phpBB, it now appears that the attackers have gained access to the databases phpBB.com and Area51, the development of phpBB. That means that encrypted credentials can be captured. Also would the attackers have a sniffer installed to between 12 and 15 december, all the logins to log in, though the hashing tool of phpBB make it hard to read the plaintext passwords.
PhpBB has the algorithm bcrypt with a factor used to set the passwords to encrypt. In the database existing passwords were also fitted with a salt, which can prevent them using rainbow tables may be outdated. It is not clear whether that also applies to the gesniffte passwords. PhpBB advises users that their password phpBB.com or Area51 elsewhere use to change their password.
The attackers have not tampered with the files of phpBB, promise the creators of the forum software. The attackers are also not coming in through a vulnerability in the forum software, but knew the credentials of a phpBB team member to find out. PhpBB promises soon with more clarity about the measures after the hack have been taken. At the time of writing, the phpBB site is still offline.