Gun-wielding penguin promises not to leak 1.8 million passwords stolen from Ubuntu Forums

Last weekend there was a massive data breach, resulting in the email address, password and username of Ubuntu’s online forums being stolen.

The hacker who claimed responsibility, Sputn1k_, defaced the site with an image of a gun-wiedling penguin.

Ubuntu forums defacement

At the time of writing, Ubuntu Forums is still down for maintenance, while its administrators check that they have properly hardened its defences against future exploitation. They are also, presumably, busy wiping some of the egg off their face after what appears to be an embarrassing example of an organisation not running a tight ship security-wise.

Sign up to our free newsletter.
Security news, advice, and tips.

Perhaps the length of the downtime indicates that they are undergoing a major overhaul of the site, perhaps throwing out vBulletin which they were using to run their forums before for something else.

The silver lining on the cloud is that Sputn1k_ (man, that underscore is so irritating) says that he has no intentions to exploit the personal information he stole.

Message from Sputn1K

You can stop worrying about your passwords. Yes, they were encrypted. Encrypted with the default vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be the strongest, when you’re dealing with 1.8m users it would take a very long time to get anywhere with the hashes. You don’t have to worry about a DB leak. That isn’t how I like to do things.

If I do get into a website, most of the time there’s no REAL malicious intentions. Grab the database, leave a message. That’s it. I don’t like to over-do things. Might cause some downtime, but what if it WAS the “syr14n c3b3r 4rmy” (not that their brain-dead brains have the power to do anything whatsoever), and they did have malicious intentions, and they did leak the database and use it to their own advantage?

Oh, and keep on raging and sending me rage tweets, I love it.

Sputn1k_ may try to ease his conscience with claims that he had no “real” malicious intent, but this was still a case of unauthorised access to a computer system which means it was a crime. Furthermore, he made unauthorised changes to the computer system by defacing the Ubuntu Forums site.

If Sputn1k_ is identitified by the computer crime authorities he may come to regret taking credit for the hack quite so publicly.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “Gun-wielding penguin promises not to leak 1.8 million passwords stolen from Ubuntu Forums”

  1. cypherpunk

    Seems like Twitter suspended his username? Or he closed his account?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.