Vice Steckler, CEO of Avast, revealed the news in a blog post on Monday and said that while the forum would be out of action for a “brief period”, he stressed that passwords were both hashed and encrypted.
“It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised,” he wrote.
He admitted though that a ‘sophisticated thief' could crack the passwords, although Akamai Technologies senior security advocate Martin McKeay told SCMagazineUK.com this would require “some computing power” and so-called 'Rainbow Tables', in order to pre-calculate all the possible hashes. “It's not out of the realms of possibilities," said McKeay.
Steckler, meanwhile, urged users to change their passwords, especially if they used the same password for various other online services.
“Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately.”
Steckler went on to state that “no payment, licence, or financial systems or other data” was compromised and said that the hack – the full details of which are unknown at this time – affected some 400,000 users. He said that passwords will be reset for all users when the forum comes back online.
Graham Cluley, a former anti-virus expect having worked for various security companies in the early 1990s but now an independent security consultant, wrote on his blog that it's concerning that data could have been stolen.
“Even though Avast's CEO might be keen to underline that no payment information was exposed as a result of the hack, I might quibble with the claim that “your sensitive data remains secure”. Surely it's a concern that usernames, email addresses and hashed passwords have fallen into the hands of hackers?” he said, before adding that the algorithm used by Avast to secure the hashed passwords hasn't yet been revealed.
He recommended users take to password management software like Lastpass or 1Password to make their passwords harder to crack.
“To Avast's credit, it does appear to have promptly responded to the attack, shutting the forum and emailing users who might be affected by the security breach. Compare that to eBay's recently exposed tardy efforts in response to its own hacking attack.”
Commenting further, Akamai's McKeay said that online forums are often a “very low priority” as far as security is concerned, with web companies too busy securing their core websites.
He said that Avast should be clearer in how it was compromised. “It is a basic step they have to take,” he told SCMagazineUK.com on the company's decision to take down the forum. “The more positive step would be share what's happening, as that's always a good thing to do as a security company.”
This isn't the first time Avast has been in the news regarding a security incident. Late last year, hackers tried to change the company's DNS records to redirect visitors to an alternative website.