Avast, the Prague-based anti-virus firm known around the world for its free security software, has suffered a serious security breach which has exposed the information of approximately 400,000 users.
Yes, you heard that right. A security company has suffered a security breach. The irony shouldn’t be lost on any of us.
The most obvious visual indication that something has gone badly wrong can be seen by anybody with an internet connection, just by visiting the Avast community forum at forum.avast.com.
A blog post from Avast CEO Vince Steckler explains what’s wrong:
The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work.
This issue only affects our community-support forum. Less than 0.2% of our 200 million users were affected. No payment, license, or financial systems or other data was compromised.
We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure. This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known. However, we do believe that the attack just occurred and we detected it essentially immediately.
We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.
Even though Avast’s CEO might be keen to underline that no payment information was exposed as a result of the hack, I might quibble with the claim that “your sensitive data remains secure”. Surely it’s a concern that usernames, email addresses and hashed passwords have fallen into the hands of hackers?
Details of the algorithm used by Avast to secure the hashed passwords isn’t revealed in the blog post, but clearly the firm is concerned that a determined attacker could crack some of the credentials – opening the possibility for victims to find other online accounts are compromised if they have been using the same passwords elsewhere on the web.
Everyone should take care to use different passwords for different online accounts, ensuring that they use complicated passwords that are not easy to crack or to guess. I recommend that computer users run password management software like Bitwarden, 1Password, and KeePass for better password security.
To Avast’s credit, it does appear to have promptly responded to the attack, shutting the forum and emailing users who might be affected by the security breach. Compare that to eBay’s recently exposed tardy efforts in response to its own hacking attack.
Avast was using Simple Machines’ Forum (SMF) to power its message board, and it’s natural to suspect that the anti-virus firm had not kept the forum software properly up-to-date with the latest security patches.
Avast has been attacked before, of course. Last year, for instance, hackers attempted to change the company’s DNS records to redirect website visitors to an alternative site – an attack which fortunately was vigilant enough to deflect.
And, in fairness,Avast are far from the first security company to have suffered at the hands of internet attackers. My guess is that they won’t be the last either.
Rival security companies would be wise not to feel too smug about Avast’s misfortune – but instead look closely at their own systems to determine if any of them might be slacking on security.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.