It Was Confirmed: XKCD Users' Passwords Were Breached During a Data Breach
Those of you interested in mathematics, technology, and information security have probably heard the name Randall Munroe. He is the creator of the XKCD webcomic which uses brilliant stick figure cartoons and a healthy dose of humor to discuss these subjects. Using XKCD, Munroe popularized his 'correcthorsebatterystaple' theory, according to which a long passphrase that consists of four random words is both easier to remember and more secure than a scrambled string of letters, numbers, and special characters.
On Friday, cybersecurity expert and creator of the Have I Been Pwned alert service Troy Hunt used his huge Twitter following to attempt to get in touch with Randall Munroe. He wasn't trying to explain why the "correcthorsebatterystaple" theory might not work in the real world. He did that a while ago. Hunt was trying to tell Munroe that information that belongs to XKCD fans has been exposed.
XKCD's forum was breached
Troy Hunt was initially contacted by an ethical hacker by the name of Adam Davies who told him that the forum where people discuss everything related to XKCD was breached a couple of months ago. Eventually, Hunt managed to get in touch with the forum's administrator who acknowledged the breach and took steps to address the issue.
Email notifications were sent to affected individuals, the forum was taken offline, and it will remain down while the people responsible for it try to figure out what happened exactly. Meanwhile, Troy Hunt received the leaked information from Adam Davies, and he loaded it into his data breach alert service which means that you can enter your email at https://haveibeenpwned.com/ and see if your account has been compromised.
How big was the breach?
XKCD is one of the world's most popular webcomics, and analytics tools suggest that it has millions of monthly visits. In light of this, the breach at the forums doesn't seem that terrible. Just under 562 thousand accounts were affected which, while still a significant number, is nowhere near as enormous as the dozens of millions of records other websites and applications leak on a daily basis.
In addition to this, the XKCD forum is free to use, which means that it doesn't store any financial information. According to the statement currently posted on the forum, the data that did get exposed includes IP addresses at the time of registration, usernames, emails, and "salted, hashed passwords".
It's safe to assume that when the forum goes back online, the passwords of the affected accounts will be reset. The administrators rightly warned users, however, that if they have used their XKCD password for other accounts, they should change it as a matter of urgency. And with good reason.
Even the strongest password can't beat a weak hashing algorithm
We're pretty sure that some of you use Randall Munroe's "correcthorsebatterystaple" system while others, like Troy Hunt, rely on password generators. Regardless of what your stance is, every single one of your accounts must be secured with a strong, unique password. Unfortunately, even this isn't enough sometimes.
XKCD's data breach notification reads that the hackers have taken advantage of a vulnerability in phpBB, the forum's underlying platform. The fact that the hole existed suggests that not all security updates had been installed. The password hashing function also points towards outdated software.
According to Have I Been Pwned, the passwords were hashed with MD5 which, as we mentioned not that long ago, is a woefully outdated and insecure hashing algorithm. Indeed, they were also salted which will make retrieving the credentials a little bit more difficult, but even so, the fact that your XKCD password was protected with MD5 means that it should be considered compromised and should never be used again.