boards.ie hacked

Boards.ie was hacked this morning. Hackers gained access to usernames, passwords & emails. Enough data for quite a large bank job in the right / wrong hands 🙂

As we’re all aware, we shouldn’t use the same passwords for all of our online accounts, but just how many of us actually use randomly selected passwords consisting of numbers and letters / uppercase / lowercase? A very small percentage i’m guessing.

There have been very high profile hacks where eventually it was revealed big companies (who should know better) use simple, dictionary words as their passwords… one twitter employee used ‘happiness’ for example.

However it’s unlikely the boards.ie hacker gained entry through a simple login administration page. It’s not as if a hacker can download a nice list of usernames and corresponding plain text passwords. The passwords will always be a whole pile of rubbish deliberately designed to protect the ‘real’ passwords. As we all know with technology, nothing is bulletproof so you can’t just write this off as an attack which won’t amount to anything other than disruption for people for a day or two…

However, passwords in a database are always encrypted… for example your password of ‘1234’ could look something like ’81dc9bdb52d04dc20036dbd8313ed055′ when accessed. Somewhere along the line however there is always a formula or multiple formulae which ‘convert’ your password in to that ‘rubbish’ password. From a hackers point of view, it’s a case of finding out how this formula works… usually found by working backwards and by trail and error.

Here is a good or perhaps scary example of encryption & decryption in action… enter some text and test it out for yourself… of course boards.ie’s set up is much more advanced than this and up until now, was regarded as bulletproof or as close to hack proof as there is, but the same logic applies. Most likely the hacker spotted a known problem with vbulletin (the software powering boards.ie) or some vbulletin add in boards.ie was using and managed to get in to their database that way.

photo credit: hypatiadotca

Where there’s a will there’s a way… a list of (potentially thousands) of user accounts & emails from a high profile forum, (in a country like ireland) would be worth quite a bit. The vast majority of boards.ie users are irish. We’re pretty well off here and also pretty tech savvy so there’s a good chance we have plenty of online accounts all over the place. High chance we use the same usernames and passwords for all.

How many people have a twitter account? How many people have a facebook / twitter account? What about gmail / hotmail? Do a search for ‘credit card’ in your email account and see if there’s any credit card details there… look at receipts, recent purchases… the list goes on and on… that’s more than enough information for me to build a profile on you and i’m not even a professional criminal – there are some genius criminals out there who secretly i admire for their creativity…. hey, it beats the nigerian lottery winners / kings looking to share the weath with their 247th long lost cousin.

If somebody really wanted to, they could make an awful lot of cash using that data, provided they invest the time & effort in to decrypting those passwords. That’s worst case scenario of course, but it’s always good to scare people and over hype any security loophole – it means people get smarter and more aware of these attacks Whilst it’s embarrassing & unfortunate for boards.ie, they’ll learn from it and you can be sure it won’t happen again any time soon. Plus the extra publicity they’ll have gained from this attack will ease the pain of the embarrassment 😉