XKCD forum, the forum space of the popular webcomic XKCD, has been taken down by its administrators after a data breach had exposed the personal information of over 562,000 XKCD members online.
The breach was first reported by the online data breach service Have I Been Pwned (HIPB) on Sunday, September 1. In its post, HIBP said that the breach is likely to have been the result of a flaw in the open-source phpBB message board software.
According to the security-tracker company, the breach was likely to have occurred at some point in August and have exposed the usernames, email addresses, hashed passwords, and IP addresses of affected users.
“In July 2019, the forum for webcomic XKCD suffered a data breach that impacted 562k subscribers. The breached phpBB forum leaked usernames, email and IP addresses and passwords stored in MD5 phpBB3 format. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies,” wrote HIPB on its website.
Following the announcement, XKCD forum administrators were quick to take down the forum board to launch their own investigation. Affected users were also said to have been notified through email.
"We've been alerted that portions of the phpBB user table from our forums showed up in a leaked data collection," XKCD said on a notice posted on the forum’s main page. "It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software."
Created in 2005 by American author Randall Munroe, XKCD is a webcomic that features topics on love, mathematical, programming, and scientific in-jokes. Its tagline, “a webcomic of romance, sarcasm, math, and language,” reflects the site’s collection of simple yet effective humour.
In a report from The Next Web, XKCD was reported to have been using phpBB, “a free and open-source bulletin board software built in the PHP programming software.”
Troy Hunt, a security researcher, said the passwords were hashed in MD5 phpBB3 format.
To date, it is still uncertain whether the vulnerability in phpBB has already been fixed or whether it was undiscovered by the administrators before HIBP’s reveal.
"We've taken the forums offline until we can go over them and make sure they're secure. If you're an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password,” XKCD added.
