Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Forums Hacked: 1 Million User Credentials Stolen

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "Phandroid's AndroidForums.com has been hacked. The database that powers the site was compromised and more than one million user account details were stolen. If you use the forum, make sure to change your password ASAP. From the article: 'Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.'"

55 of 93 comments (clear)

  1. lol linux by Anonymous Coward · · Score: 4, Funny

    Was it run on... Linux? BWAHAHAHAHAHAH!

    Linux = FAIL.
    Windows or OS X are the only secure solutions.

    1. Re:lol linux by multiben · · Score: 1, Offtopic

      Oh come on whoever modded this down. Get a sense of humour!

    2. Re:lol linux by multiben · · Score: 4, Funny

      You're right. I'm sorry, now back to work everyone! These are serious times. Linux is the best operating system that has every existed and nothing will ever be better than it. It is perfect and nobody should ever laugh at it. You know why? Because it's not funny! That's why. In fact, nothing is funny. Somebody told me a joke once back in 1972 and frankly I just didn't see the point. It distracted me from being serious.

    3. Re:lol linux by multiben · · Score: 1

      I know, I am totally agreeing with you.

    4. Re:lol linux by Anonymous Coward · · Score: 1

      It wasn't funny to you, probably because you're a Lintard. To some though, it was funny. You're not funny at all. In fact, you're rather sad.

      Yeah sure. It's like George Carlin's rules of the road. Anybody who drives slower than you is STUPID. Anybody who drives faster than you is CRAZY.

      It's like that with insecure people and humor too. Anybody who didn't think the joke was funny was obviously too stupid to get it. Oh, if only they were graced with your wit and your sense of humor!

      Clearly they are some kind of *tard. Oh was it about Linux? Yes, Lintard. That's what they are.

      Course the difference between a comedian and a +5 Funny slashdot post is that the comedian actually has to be funny. Slashdot seems to really hate it when you put any kind of wit or creativity into a joke. They'd rather hear for the ten thousandth time how awesome it would be if we got some sharks and put lasers on their heads. It's just that "Linux = FAIL" hasn't become an official Slashdot meme yet, so people are willing to give it the moderation it deserves instead of pretending to like it.

      Why does it work this way? Why can't mods just honestly vote for what they like and dislike? Why do they adhere to this pattern even when moderations are anonymous?

      They are desperate to feel like one of the group, a member of a shared culture, an insider. All they had to sacrifice was any sense of taste or regard for quality. That's all. That's why the tired old memes don't get the -1 Redundant they deserve - it's a bunch of Aspies and insecure geeks desperately trying to feel like they belong to something. Ever been in a group and seen one of those people who can't just laugh at the movie, he has to turn and look all around the room to make sure somebody else is laughing too - and quickly shuts up if no one else is? That's because he's not really an individual. That's what most Slashdot mods are like. It's why they follow the pattern like good little programmed bots even when no one is looking.

      Those of us with real friends and family understand this. We have a frame of reference with which we can compare it.

    5. Re:lol linux by Tourney3p0 · · Score: 2

      If you thought that was funny, you're going to *love* this new comedian Dane Cook that's making the rounds. Not sure what operating system he uses, though.

    6. Re:lol linux by ColdWetDog · · Score: 2

      Huh?

      Whatever the hell he's going on about, he sure is upset with it.

      --
      Faster! Faster! Faster would be better!
    7. Re:lol linux by MobileTatsu-NJG · · Score: 1

      It wasn't funny. Damn sure wasn't insightful or informative. Maybe inciteful.

      It was both funny and insightful, you just haven't accepted the way it applies to you.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    8. Re:lol linux by Flere+Imsaho · · Score: 2

      People laughed when I said I wanted to be a comedian. Well, they're not laughing now.

      --
      It gripped her hand gently. 'Regret is for humans,' it said.
    9. Re:lol linux by Jawnn · · Score: 1

      It wasn't funny.

      I disagree. I'm certain that scores of 12-year-olds found it hilarious.

    10. Re:lol linux by broggyr · · Score: 1

      Anybody who drives faster than you is CRAZY.

      Anybody who drives faster than you is a MANIAC!

      FTFY

      --
      Irony? Yea, it's like goldy and bronzy, only it's made of iron!
    11. Re:lol linux by Anonymous Coward · · Score: 1

      Hey, stop speaking like a '00s guy. Here in the '10s we shortened that to a concise "he mad".

    12. Re:lol linux by sl4shd0rk · · Score: 1

      I thought you were introducing a new linux distro.

      --
      Join the Slashcott! Feb 10 thru Feb 17!
    13. Re:lol linux by AmberBlackCat · · Score: 1

      I would have modded it insightful. It illustrates the point that every time a security problem happens on a Windows system, the problem is blamed on Windows, even if that's an unfair accusation.

    14. Re:lol linux by Kalriath · · Score: 1

      He's either complaining about Windows Phone, or complaining about iOS. Presumably he needs to get out more.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    15. Re:lol linux by fluffythedestroyer · · Score: 1

      No reason to blame Linux, the OS has nothing to do with this problem. It was the administrator who was too stupid to put more security in it's database. So please next time, like always, USE YOUR FUCKING HEAD when you read. It's getting annoying... and why arent you banned. seriously, every time you write, nothing is good. only trolling

  2. Woo Hoo, big news! by Grayhand · · Score: 5, Funny

    Androids forums had a million users!!!!! Take that Apple!

    1. Re:Woo Hoo, big news! by BronsCon · · Score: 1

      There's really not, go look at some of my comments pointing out Apples recent fuckups (not anti-Apple, just pointing out where they went wrong and pleading for improvement). Those mostly were modded down, just like the Linux joke.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:Woo Hoo, big news! by MobileTatsu-NJG · · Score: 1

      Androids forums had a million users!!!!! Take that Apple!

      To go to StarBucks and work on our screenplays we have to go outside!! Take that, Linux basement dwellers!

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    3. Re:Woo Hoo, big news! by tehcyder · · Score: 1

      Androids forums had a million users!!!!! Take that Apple!

      Yeah, where's the forums app on my iToy?

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  3. Somebody's rushing... by war4peace · · Score: 2

    It's the third major hack in two days. Summer break boosts hacking?
    My knee-jerk reaction was that there's a new, unknown exploit out there but from the summary I see there's a "known exploit".
    At least I don't have an account there and now I am sure I never will...

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    1. Re:Somebody's rushing... by SomePgmr · · Score: 1

      At least this site hashed the users' passwords.

    2. Re:Somebody's rushing... by zaphod777 · · Score: 1

      hashed with a random salt, although this can still be brute forced it is just much more expensive for all passwords not just the complex ones.

      --
      "Don't Panic!"
  4. Who cares? by dynamo52 · · Score: 2

    I use a unique email address and randomly generated password for every single website to which I register. I don't know if I am a member on this forum but even if I am, I'm not going to bother with changing credentials because frankly, if somebody wants to impersonate me on a forum I may have joined simply for advice on a particular product I say go for it.

    --
    Like this comment? I accept Bitcoin! - 153sc8UUBXyp12ofQqfAWDmJrzyiKCYC1x
    1. Re:Who cares? by plutoXL · · Score: 1

      Well, apparently you don't care. But I am sure many other people do care.

  5. Re:Low expectations by Anubis+IV · · Score: 2

    This serves as yet another reminder of the value of using a password manager that can generate unique passwords for each and every site and then store them securely. That way, when the inevitable happens, as it did here, only that one password is compromised, and it comes at no hassle to you.

    I've been using 1Password for years, but a number of folks here seem to like KeePass, and I'm sure a few kind folks will reply with more suggestions below.

  6. Link... by uniquename72 · · Score: 1

    Link to forums... (Thanks for making me add more than just the link, /.)

  7. Forums by Archangel+Michael · · Score: 4, Insightful

    Most websites are "NOT SECURE" enough, so pretending that they are is simply dangerous. Wanna know how secure that website is? The Login is not on a SSL connection. Nuff Said!

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Forums by Kozz · · Score: 2

      Most websites are "NOT SECURE" enough, so pretending that they are is simply dangerous. Wanna know how secure that website is? The Login is not on a SSL connection. Nuff Said!

      Grabbing credentials going over the wire of a non-SSL site is not at the top of my worries, but having SSL certainly gives people a false sense of security. Any idiot (well, almost) can obtain and install an SSL certificate for their webserver, but that doesn't mean said idiot remembered to lock down phpMyAdmin or any other number of stupid things.

      --
      I only post comments when someone on the internet is wrong.
    2. Re:Forums by Robert+Zenz · · Score: 1

      So, how exactly does SSL help with, say, SQL injection or a buffer overflow?

      Just because a website is using SSL, doesn't mean that the webmaster has a clue what it's doing.

  8. Re:Low expectations by Anonymous Coward · · Score: 2, Funny

    i'd love to use keepass, but i am too fucking stupid. i am going to try again right now. fucking complicated shit.

  9. Re:Screw websites that *require* a login by BronsCon · · Score: 2

    You hear that, Slashdot? Now you know how to get rid of this guy!

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  10. This is news? by thetoadwarrior · · Score: 4, Funny

    Some low budget Android site gets hacked and we feel the need to talk about it? It's a fucking PHP based site. I'm surprised not being hacked in between each restart to recover from memory leaks.

  11. Re:Screw websites that *require* a login by Setsquare · · Score: 1

    Shouldn't forums just need a digital signature?

  12. The known exploit by wbr1 · · Score: 3, Funny

    androidforums.com runs on a cluster of old phones. A simple android root program injected into the php was all that was needed :P

    --
    Silence is a state of mime.
  13. Re:Low expectations by Anubis+IV · · Score: 1

    That sounds less secure to me, since a simple rubber hose and some pliers applied to you can result in the recovery of those passwords. In contrast, I don't even know the vast majority of mine, offering me plausible deniability. You'd have to not only gain access to me, but also my encrypted database of passwords in order to get access to mine (and since the company behind 1Password has demonstrated a willingness to update and improve their encryption in the past, I expect that they'll continue to keep up with the times, such that no one will be able to simply crack the encryption and gain access to my passwords).

  14. And, To Fulfil the Irony.... by rueger · · Score: 2

    It appears that the change password page is Slashdotted - I can't get more than one character into the form before it freezes up.

    Good thing it's still using the old password that I used for forums before the great LinkedIn password crisis!

    --
    Three Squirrels
    1. Re:And, To Fulfil the Irony.... by cerberusss · · Score: 2

      It appears that the change password page is Slashdotted

      It's the password that I only use for all my forum accounts, so I don't really care if it's hacked or not. Should I post stupid stuff, then it's just the silly Android Forums hacker.

      --
      8 of 13 people found this answer helpful. Did you?
    2. Re:And, To Fulfil the Irony.... by cerberusss · · Score: 5, Funny

      It's the password that I only use for all my forum accounts, so I don't really care if it's hacked or not. Should I post stupid stuff, then it's just the silly Android Forums hacker.

      HAHAHA DISREGARD THAT, I SUCK COCKS

      --
      8 of 13 people found this answer helpful. Did you?
    3. Re:And, To Fulfil the Irony.... by coinreturn · · Score: 1

      +5, Funny as hell

  15. Is this the new hype? by Lord+Lode · · Score: 1

    Hacking sites to leak 100 thousands of passwords? This is the fourth recent case I know of.

  16. Re:Low expectations by Ded+Bob · · Score: 2

    I just wanted to mention that KeePassX runs on UNIX systems.

  17. Please use OpenID by Galestar · · Score: 2

    That is all.

    --
    AccountKiller
  18. Original Source by izomiac · · Score: 4, Informative

    Here is the original source, with more information and less sensationalism. They aren't sure if any user information was downloaded, but are treating this as a full breach. To their credit, they at least hashed the passwords, and chose to inform their userbase rather than sit on it until they figured out if any user data was actually stolen or not.

    1. Re:Original Source by DaScribbler · · Score: 2

      Here is the original source, with more information and less sensationalism. They aren't sure if any user information was downloaded, but are treating this as a full breach. To their credit, they at least hashed the passwords, and chose to inform their userbase rather than sit on it until they figured out if any user data was actually stolen or not.

      No, they only informed those who actively frequent their sire, since all they did was post a warning at the top of the forums page. They took no steps beyond that. They didn't bother to send out a mass email to their registered users. I didn't learn about it until yesterday, 3 days after the breach, and that's only because I read it here on slashdot. If I hadn't read about it here, it would probably have been another 5 or 6 days before I learned about it, since that's about how often I frequent their site.

  19. Fuck It by Ryanrule · · Score: 1

    Lets just make everything public.

    1. Re:Fuck It by DarwinSurvivor · · Score: 1

      I would love it if we could get rid of all this password nonsense and just append pgp signatures to everything. Whole-site encryption (unless it's a private site) would be pointless, you wouldn't need to give them an e-mail account and there would be NOTHING to protect on the websites.

      Note: The above only applies to forum/blog style sites and not private (bank, corporate, etc) sites that hold *confidential* information.

  20. Re:Low expectations by Serious+Callers+Only · · Score: 1

    That's great, but who remembers the one password to your encrypted database of passwords?

  21. Does this mean.. by 0ld_d0g · · Score: 4, Funny

    They open sourced the passwords? :-P

  22. Will they become... by juanfgs · · Score: 1

    Paranoid Androids?

  23. Re:Low expectations by KernelMuncher · · Score: 1

    The best passwords are those hiding in plain sight. I like to keep a few pictures of things at my desk that instantly remind me of the password. For example it could be a picture of a big fat guy for password 300#FatGuy. That way you're unlikely to forget and still nobody would ever guess the actual password.

  24. Re:Low expectations by Anubis+IV · · Score: 1

    I do, of course, but as I said, they'd have to grab both me and the database in order to use the rubber hose method, whereas AC's technique requires no database, since the palace he's talking about is a memory retention technique, meaning that grabbing him would mean grabbing the database at the same time. I'm not suggesting mine is immune to rubber-hosing, just that it requires one more step to be possible, making it a bit more secure.

  25. Re:Low expectations by tehcyder · · Score: 1

    That sounds less secure to me, since a simple rubber hose and some pliers applied to you can result in the recovery of those passwords. In contrast, I don't even know the vast majority of mine, offering me plausible deniability.

    "Plausible deniability" is a piece of legal weaselling, not a way of stopping someone slicing your balls off with a cheesewire..

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  26. Re:Low expectations by Anubis+IV · · Score: 1

    Sure...but it keeps my passwords secure! ;)

  27. Re:Low expectations by AmbushBug · · Score: 1

    Yep, and KeePassDroid on Android.