If you have an account on XKCD forum change its password right now.
The popular webcomic XKCD has been hacked. Apparently, unknown hackers were able to breach the XKCD forum and manage to steal personal data of over 562,000 users.
The breach took place last month while the stolen data was identified by Adam Davies, a security researcher. However, originally, the data breach was announced by Troy Hunt of HaveIbeenPwned which indicates that XKCD itself was unaware of the incident up till now.
According to Hunt, the stolen data which has been leaked on the internet includes IP addresses, usernames, email address, and their password encrypted in MD5 format which is an easy one to decrypt.
New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned https://t.co/LGaAnj1hUA
— Have I Been Pwned (@haveibeenpwned) September 1, 2019
Hunt also shared a screenshot showing first hash from the breach:
XKCD on the other hand, has acknowledged the breach and since the news broke out the forum is offline with a message urging users to immediately change their password for any other account on which they might have used the same or a similar password.
“The XKCD forums are currently offline. We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection […] We’ve taken the forums offline until we can go over them and make sure they’re secure,” says the message.
It is worth mentioning that in January this year, the popular browser-based role-playing game Town of Salem also suffered a data breach in which personal data of 7.6 million gamers was stolen. In another breach back in 2017, gun retailer company Airsoft GI also had its forum hacked in which personal data of 65,000 users was stolen.
What’s common between the aforementioned and XKCD forum breach is that all three platforms were using phpBB software. Although for now, it is unclear how the breach took place, it is quite possible that hackers got their hands on some zero-day vulnerability affecting phpBB (PHP Bulletin Board) software or any other component of the platform.
At the time of publishing this article; XKCD forum was offline but on Reddit, XKCD users are discussing the breach in detail.
If you have an account on XKCD change your password right now and also change the password on other accounts in case you used the same password.
Now that the data is publically available, it’s about time that malicious elements will attempt to log in or reset your accounts for their use.