Avast forum hacked, user names, email addresses and passwords compromised.

26. May 2014 Security 0

Earlier tonight I received the following email:

Dear Jay,

The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work.

This issue only affects our community-support forum. No payment, license, or financial systems or other data were compromised.

We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure. This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known. However, we do believe that the attack just occurred and we detected it essentially immediately.

We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.

All the best,

Ondrej Vlcek
COO AVAST Software

I applaud the fast response and notification of their users, something many other companies don’t do unless they are caught or criticized. By now you should know better than to use the same password on different sites but if you do, and you also had an account on the Avast forums, change the passwords immediately.Using tools like 1Password to have a random and strong password generated for you is recommended. A one-way encryption without salt is easy to break with moderately powerful hardware so before this week is over the majority of stolen passwords will be decrypted by the hackers.

On june 17th I received the following email:

A few days ago we informed you that the AVAST forum was attacked and because of that, we took the forum offline to improve its structure and security. It is now back up and more secure.
We decided to rebuild the forum on the same software platform we used before, but we enhanced the security on our side. We added our own login technology with SSL encryption. With this encryption, passwords will not be saved in our forum database. This means that your password cannot be compromised.
The AVAST forum is an extremely important part of our business. Our members not only solve issues identified by other members, but give us valuable insight that helps us improve our business and our products. We are extremely grateful for your participation, and we hope that you will rejoin the forum and continue providing your unique insight.
To start using the new AVAST forum, please create a new password at link. We recommend that you use a different password from the one you used for the old forum.
Again, we regret any inconvenience this may have caused you and thank you for your contributions.
All the best,
Ondrej Vlcek
COO AVAST Software

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.