Ubuntu forum hack sets same-password users at risk

Canonical has announced a comprehensive security breach of its forums.

  • Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.
  • The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
  • Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.

If someone impersonates you on the Ubuntu forums it might be embarrassing but probably not a calamity. The real risk is escalation. In other words, presuming the attacker is able to work out the passwords (they have all the time in the world to run password cracking algorithms and dictionary attacks against the stolen data), it could be used to compromise more valuable accounts that use the same password.

Password recovery mechanisms can work against you. Businesses hate dealing with password reset requests so they automate them as much as they can. This is why Ubuntu’s warning about email accounts is critical: many web sites will simply email your password on request, so if your email is compromised many other accounts may be compromised too.

A better approach in a world of a million passwords is to use a random password generator alongside a password management database for your PC and smartphone. It is still a bit “all eggs in one basket” in that if someone cracks the password for your management database, and gets access, then they have everything.

It is a dreadful mess. Two-factor authentication, which involves a secondary mechanism such as a security token, card reader, or an SMS confirmation code, is more secure; but best reserved for a few critical accounts otherwise it becomes impractical. Two-factor authentication plus single sign-on is an even better approach.