The forum for the techie-darling comic strip XKCD was still offline on Monday afternoon after Troy Hunt’s breach site, Have I Been Pwned, reported on Sunday that 562,000 of the forum’s accounts had been breached sometime in August.
New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames a… twitter.com/i/web/status/1…
—
Have I Been Pwned (@haveibeenpwned)
September 01, 2019
A breach notice on the echochamber.me/xkcd forums echoed Hunt’s message: portions of the forums’ phpBB user table showed up in a cache of leaked data, it said. The forum exposed usernames, email addresses, passwords salted and hashed using the obsolete MD5 hashing function, and IP addresses. To translate: MD5 is a hashing function, and it’s not a good one. For over a decade, it’s been recognized as not producing truly random hashes and there have been far, far better solutions for storing passwords for decades.
