MacRumors hacked – 860,000 email addresses and hashed passwords stolen

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

The forums of popular Apple news website MacRumors were hacked earlier this week, exposing the usernames, email addresses and hashed passwords of over 860,000 members.

MacRumors announced the security breach in a posting on its site.

MacRumors announcement

Part of the alert read:

Sign up to our free newsletter.
Security news, advice, and tips.

Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.

In situations like this, it’s best to assume that your MacRumors Forum username, email address and (hashed) password is now known. What this means for you, if you have a MacRumors Forums account, is the following:

1. Change your password on our forums. If you have any problems, please contact us.

2. If you used the same password on any other site, change it there also.

It appears that the hackers managed to gain unauthorised access to MacRumors user database after compromising a moderator’s account – raising questions of how diligent that particular user was being with their security.

MacRumors Editorial Director Arnold Kim told readers that the exposed passwords were salted and hashed, using vBulletin’s standard MD5 algorithm.

Unfortunately, that’s probably an inadequate way to store passwords these days. The use of a different salt for each user can slow down mass-cracking of passwords, but does little to prevent specific users having their passwords determined.

Sensible password security for internet users

MacRumorsAlthough questions may be raised about how well it was protecting its database of passwords, MacRumors should be applauded for offering its readers some sound advice in the wake of the security breach.

You should never use the same password in multiple places, so if there is a risk that your MacRumors might have been exposed, you should be sure to choose a new, hard-to-crack password not just for the MacRumors site, but also for *any* *other* website which could be compromised as a result.

I’m still getting people smirking when I say this, and they can’t stop themselves from responding: “That’s fine for you to say, Graham. But how am I supposed to *remember* all these passwords for different websites? Your advice is impractical!”

Well, that’s why you should simply use password management software like Bitwarden, 1Password, or KeePass. They will not only do the password-remembering for you, but also help by generating hard-to-crack, complex passwords in the first place.

In my view it’s much safer to use good password management software than rely on yourself to dream up and remember all of your internet passwords.

Hacker: “We’re not going to leak anything”

Fascinatingly, someone claiming to be the hacker has posted on MacRumors own forums about the breach.

Someone calling themselves Lol, claimed to be the person responsible for the hack and said they had no plans to leak any of the stolen information, and were not using the stolen passwords to log into other online accounts.

Post by person claiming to be the hacker

We’re not “mass cracking” the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We’re not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Whether “Lol” really is the hacker (it certainly appears that they have inside knowledge), and whether they can be trusted not to exploit the stolen information, is another question entirely of course.

Regardless of their motivation, the hacker has broken the law by breaching MacRumors security.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

2 comments on “MacRumors hacked – 860,000 email addresses and hashed passwords stolen”

  1. I just heard the news. The MacRumors folks are good people. The biggers news is the allegation that vBulletin.com was hacked. I just saw it on Facebook and discovered your article performing a search. So far I haven't heard anything from vBulletin about what, if anything, may have been compromised.

    1. Graham CluleyGraham Cluley · in reply to Michael W

      See here for updates from vBulletin:

      https://grahamcluley.com/vbulletin-hacked/

      https://grahamcluley.com/vbulletin-denies-hackers-claims-zero-day-exploit-forum-software/

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.