In what maybe one of the biggest yet at the same time least publicized hacking incidents, the forums of Boxee.tv has been hacked and the fruits of those efforts have been publicized. The security breach yielded information about 158,128 users, including data that can be used to possibly comprise the users' other accounts.
The actual hacking incident actually took place last week, though Boxee has not yet acknowledged it at all. The revelation and the warning had to come from third-party sources, such as Australian security researcher Scott A. McIntyre, who received a copy of the database and whose clients appeared to be one of those affected by the breach. This was confirmed separately by Troy Hunt, another Aussie researcher, who included the dumped information into his "Have I been Pwned" online security service.
The scope of the hacking is quite expansive, not to mention frightening. Included in the database dump are around 172,000 email addresses, birth dates, IP addresses, and all messaging history. It even contains scrambled passwords which can still be cracked to reveal the real password underneath. Given this wealth of detail, as well as the almost predictable security habits of people, this information can potentially be used to hack into those users' other accounts.
And indeed, this is the fact that password management service LastPass wants to point out. The company has sent emails to its users warning them of the hacking incident and advising them to change their password for the forum. LastPass also has a tool for searching for other services where users have applied the same password, of course, as long as those passwords are managed by LastPass. Given how users commonly reuse the same password for multiple sites, that is quite likely.
That said, the security breach actually occurred only in the Boxee.tv forum and doesn't directly affect all Boxee users, unless they use the same credentials for both the service and the community forum. Boxee's silence on the matter is also quite deplorable but not unusual. Like many similar instances of late, the incident should be a reminder to users to observe security best practices as much as they can, or at least make use of reliable and secure services that help make it convenient.
VIA: Ars Technica