User data from Social Engineered, which
bills itself as a forum for the “Art of Human Hacking,” was leaked in mid-June and
posted on a rival site.
“Mybb had a
vulnerability yet again and the site got breached along other websites using
Mybb,” Social Engineered founder, Snow101, confirmed in a blog post.
“We moved over to xenforo i suggest changing your passwords immideately [sp].”
The information dumped from 89,392 compromised accounts included
usernames, private messages, IP addresses and passwords, which were stored as
salted MD5 hashes, according to a Have I Been Pwned blog post.
“MD5 is not a secure
algorithm for hashing passwords. It has well-known flaws and is generally
understood to be insufficient for protecting sensitive data of any kind,” said
Tim Erlin, vice president of product management and strategy at Tripwire, who
pointed out that information from such compromises is often used in social
engineering schemes like phishing. “If you were going to choose a user base
that’s especially difficult to target with phishing and other social
engineering based attacks, this would certainly be near the top of the list.”