Hackers Steal BitTorrent Forum Users' Emails, Passwords, IP Addresses
The data includes email addresses, usernames, IP addresses, and hashed passwords.
Image: Che Saitta-Zelterman
Hackers have obtained tens of thousands of user accounts for the forum of popular data trading software BitTorrent.
Security researcher Troy Hunt got hold of the dataset and uploaded it to his data breach notification site Have I Been Pwned on Wednesday. Motherboard also obtained the data and verified its contents.
The dump contains just over 34,000 usernames, email addresses, IP addresses, and salted SHA1 password hashes. A "salt" is a random variable added to a hashing algorithm, which should make the passwords harder for hackers to crack.
Hunt pointed out that the forum is based on IP.Board, a piece of software that has led to several other data breaches.
"We can confirm that there was a security issue involving the vendor which powers our forums," Christian Averill, a spokesperson for BitTorrent, told Motherboard in an email. "The vulnerability appears to have been through one of the vendor's other clients, however it allowed attackers to access some information on other accounts, such as ours."
"As a result, attackers were able to download a list of our forum users. We are investigating further to learn if any other information was accessed," Averill continued.
BitTorrent also advised its users to change their passwords, especially if the same password was used on multiple sites.
Strangely, Averill added, "Our vendor has made backend changes so that the hashes in the file do not appear to be a usable attack vector."
It's not totally clear what BitTorrent means by this. It could mean they've invalidated affected accounts on the site so user passwords will no longer work.
It could also mean that the password hashing algorithm has since been changed on the site, but that doesn't stop hackers from cracking the hashes they've already got and obtaining users' passwords. BitTorrent did not provide clarification in time for publication.
"This just adds to the troves and troves of data we've seen leaked in recent times," Hunt told Motherboard in an email. "It also follows a similar pattern to many previous data breaches; a PHP-based forum storing passwords in a weak fashion and being leaked without the site owner even realising it."
The lesson: Although people often focus on passwords in a dump, the leak of other information such as IP addresses poses its own risks. Although it may not be immediately obvious, a hacker could use this information for phishing scams, or just to get a much better idea of where a user is located.
For that reason, you might consider using a virtual private network (VPN) when using the internet. That way, if a site is hacked and your IP address leaked, hackers will only have access to the address of the server you routed your traffic through.
Read previous installments of Another Day, Another Hack here.