2 Comments

Summary:

The personal details of hundreds of thousands of people were taken in an attack on the antivirus outfit’s web forum.

Getting hacked is embarrassing enough when you’re a high-profile web firm like eBay, but infinitely more so when you’re actually in the security business. So it’s red cheeks all around over at the offices of Avast, the Czech antivirus vendor.

The integral systems of Avast, a billion-dollar company, were not themselves hacked – rather, some miscreants broke into the firm’s online forum over the weekend, according to a blog post on Monday from CEO Vince Steckler. Nonetheless, the names, email addresses and encrypted passwords of up to 400,000 users (0.2 percent of Avast’s total user base) were siphoned off.

The passwords were hashed, but Steckler warned that “it could be possible for a sophisticated thief to derive many of the passwords” anyway. Echoing last week’s eBay debacle, Steckler advised users of the forum to change their passwords on other sites, if they use them across multiple services.

As Steckler noted, Avast’s forum was running on third-party software — Simple Machines Forum (SMF), to be precise — that it will now be abandoning. Some observers have theorized that the company may not have kept the forum software up-to-date, but Avast told me by email that this was not necessarily the cause:

“The forum was running SMF version 2.0.6. The latest version is SMF 2.0.7 but according to the SMF change log (and the announcements on the SMF web site) there were no security-related updates included in this version. It is not clear whether the attack was conducted via a 0-day vulnerability or a hole that was silently fixed in v2.0.7 but never announced.”

Alternatively, it could be that a site admin got suckered by a dodgy email. Either way, it’s a mortifying episode for a security vendor, and a good reminder for the rest of us that very little out there is truly secure.

You’re subscribed! If you like, you can update your settings

  1. Nice to see that Avast is willing to lie through their teeth to keep face.

  2. After the lies, I’ve abandoned my paid-for Avast suite. They can’t be trusted, obviously.

Comments have been disabled for this post