Android Forums hacked: 1 million user credentials stolen

Android Forums hacked: 1 million user credentials stolen

Summary: Phandroid's has been hacked. The database that powers the site was compromised and more than 1 million user account details were stolen. If you use the forum, make sure to change your password asap.

TOPICS: Security
Android Forums hacked: 1 million user credentials stolen

Phandroid has revealed that its Android Forums website was hacked this week using a known exploit. The data that was accessed includes usernames, e-mail addresses, hashed passwords, registration IP addresses, and other less-critical forum-related information. At the time of writing, the forum listed 1,034,235 members.

If you are one of them, you should change your password: go to your UserCP or use the Forgot your password? function. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well.

In a post titled Important Notice - Security Breach, Android Forums administrator "Phases" posted the following facts about the breach:

  • The exploit used has been identified and resolved. The server has been further hardened and extra "just in case" actions have been taken.. and will continue to be taken.
  • All code that resides in the database and the file system has been thoroughly reviewed for malicious edits and uploads.
  • No other sites in our network appear to have been accessed (we're triple checking).
  • The user table of AndroidForum's database was (at a minimum) accessed. While we can't prove or disprove whether or not the data was downloaded (due to the way the data was transferred), it's completely possible.. and we've taken action assuming this is the case.
  • Information in the user database includes: Unique ids, usernames, emails, hashed (encoded) passwords, registration IP addresses, usergroup memberships, infraction levels, last time online, last post date, post count... as well as far less critical things like number of PMs, visitor messages, last online dates, and some vbulletin options set in your UserCP.
  • Immediately following the incident, all ~100 staff were notified of a pending password change - and all passwords to were changed to random strings. Almost all are back in with new passwords. Because gaining access to a staff member account could pose the biggest threat, we first moved to secure these accounts.

Phases also noted that he believes this was an e-mail harvesting attempt. In other words, whoever hacked Android Forums was looking for e-mail addresses to spam at a later time. That being said, the attack could have also been done just for kicks. Either way, Phandroid is still investigating the breach.

See also:

Topic: Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What OS was the server running?

    Netcraft reports it as being Linux.

    • Without Further Information, That's Meaningless

      Since they haven't disclosed how the website was compromised, the operating system it's running on is immaterial. Without further information we don't know where the exploit occurred, at the operating system level or in another way altogether.
      • Oh, is that information important?

        Why does it matter where the exploit occurred? A demand for such detailed information is NEVER required when software that happens to be running on a Windows server is exploited.

        Also, we've constantly been told that all we have to do to secure ourselves is to switch to Linux. There is no talk of having to do any extra work to secure your software that happens to be running on Linux. No. People here stake their reputations on statements that if we switched to Linux, we would become safe. Now it turns out that reality is more nuanced.

        Huh. Whodathunkit?
        • no you get it wrong

          we need to switch to iOS. It is secure and it just works.
        • Ever heard of mod_security? iptables? chkrootkit? tcpwrappers?

          Linux computers get hacked every day. Extra steps are taken all the time to improve the security of servers running Linux.

          When a Windows server is exploited, more information is ALWAYS needed, especially because of poorly coded mainstream software like Adobe Flash, Adobe Reader, and Internet Explorer.
          • Welcome to ZDNet, you must be new here

            "When a Windows server is exploited, more information is ALWAYS needed"

            Nope. Not historically. Not on ZDNet.

            Now, if you are suggesting that those who have done this in the past are ignorant little trolls, yes, I would agree.
          • Were did jd suggest, ignorant little trolls.

            Why do you need to justify you comment with what is not suggested?

            (Todds Bott, ZDNET changed to all English format site, ie those that speak English)
        • Is this trolling?

          Are you serious? The operating system doesn't matter unless it was an exploit related to that OS. Also, switching operating systems will not improve the security of an insecure system.

          Suppose you have a wooden door which uses a deadbolt lock to keep the door shut and secure. Now suppose someone finds a fault in the tumbler design of the deadbolt.

          Will switching to a steel door, but using the same deadbolt improve security? No; that is, unless you're counting security against crazed, axe-wielding dudes who quote Johnny Carson.

          The obvious course of action is to change the the lock or, at the very least, the tumbler for one that's known to be secure. At least secure for now.

          Credits (in order of appearance):
          Microsoft Windows as "wooden door"
          Web site/app as "deadbolt"
          Linux as "steel door"
          • As you see

            common sense, is missing.
        • You're Confused

          A server machine is always going to be much more vulnerable than a desktop machine. Most people who know what they're talking about will agree that Linux is far safer on the desktop (not even close).

          Servers are a different story. For one, we don't know how this hack occurred. Was it an unpatched vulnerability? Were the admins lazy? Was it improper configuration of Apache? Were they using SELinux policies? Etc..

          A server is a sitting target with processes running open to the Internet at large. It doesn't much matter what OS it is, if the service has a vulnerability it can always be exploited and lead to a user level access breach (and sometimes privilege escalation). Most of the time servers are cracked because admins are lazy.

          In any case, this was a breach of a web forum, so it's not much of a threat. When I sign up for any web forum I use a disposable e-mail address and a unique password. If my data gets stolen, who cares.
          • I think what he's talking about is more of a user issue

            in that if a Windows Server is breeched, we're inundated with "It's because Windows sucks", because it's automaticlly the OS's fault, and nothing else.

            If a Linux Server is breeched, we're inundated with "It's becuase the Admin sucks!", as it's automaticlly the admin's fault, and nothing else.
            William Farrel
  • It was anonymous...

    Anonymous was looking for pedophiles... Evenyone knows that Roid users are all a bunch a pedophiles... Now, they that are legion will rain hell down upon you roid loving sickos!!!
  • If you use your real credentials/email for internet forums...

    You deserve to be hacked.
  • Android Forums hacked: 1 million user credentials stolen

    What OS was it running???
    Loverock Davidson-
    • We've been told that in this case, it doesn't matter

      I can't quite figure out what is different in this case since every time any security issue happens on a Windows computer (desktop or server) the investigation is over - the culprit has been determined - it is always the fault of the OS.

      Something is different this time. Not sure what though, will have to investigate further.
      • I'll blame linux

        I'll continue to blame linux until we have proof of it being something different.
        Loverock Davidson-
        • So absent any data or facts...

          you'll arbitrarily place blame because it suits your prejudice?

          Wow. Just like NonZealot, I mean Toddbottom, proudly proclaiming himself a troll with that stunning picture, you're proudly claiming to be one as well.

          At least you admit it.
    • Judging by the web page source for the site.

      That has checks for IE6 through 9, but no checks for any other browsers, my guess is Windows running IIS.
      • Its real hard

        trying to explain that to the two accounts.
    • The OS is largely irrelevant

      Nevertheless, Netcraft reports nginx on Linux. A quick look at the page source indicates that it's using WordPress. WordPress is an open-source platform, based on PHP and MySQL. WordPress sites usually run on Linux, using either Apache or nginx. It's possible to run WordPress on Windows, but it would be unusual.

      In short, the evidence suggests the site is running on Linux. At the same time, that probably has nothing to do with whatever it was that led to the breach. Despite myths espoused by Linux trolls, the OS (and especially the kernel) usually has very little to do with security breaches.