XKCD forum breach impacts more than half a million users

By Eric Abent/Sept. 3, 2019 3:01 pm EST

If you're a user of the XKCD forums, then you might want to do a bit of a security audit of your various online identities. The administrators of the forums have revealed that they've been breached, with whoever was responsible making off with usernames, email addresses, and hashed passwords belonging to more than 500,000 users. The forums have been taken down in the wake of discovery as the forum's administrators ensure that they've been secured.

The breach was first publicized over the weekend by Have I Been Pwned creator Troy Hunt (via Vice), who posted his findings to Twitter. In that tweet, Hunt explains that the breach happened last month and exposed user data that was "stored in MD5 phpBB3 format." He also said that 58% of the compromised email addresses were already present in Have I Been Pwned's listings, so for the majority of affected members, this isn't their first tango.

New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned https://t.co/LGaAnj1hUA

— Have I Been Pwned (@haveibeenpwned) September 1, 2019

If you head over to the XKCD forums right now, you'll be greeted by nothing more than a "503 Service Unavailable" error with a message from the forum's administrators. "The xkcd forums are currently offline," that message reads. "We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration."

"We've taken the forums offline until we can go over them and make sure they're secure. If you're an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password."

XKCD is a webcomic that has become very popular over the last 14 years in part because of its focus on science and technology. If you're a member of those forums, it's a good idea to change the login credentials of any account that uses the same password, because even though the passwords that were taken were salted and hashed, it's always better to play these security breaches on the safe side.