With more than 150 million active users each month, uTorrent, which was developed by BitTorrent Inc, is the most popular BitTorrent client around. Although the client wasn’t hacked, the uTorrent forum database was. uTorrent has yet to tweet or blog about the breach, but it did announce “an important security advisory” which warns all forum users to change their passwords immediately.
The notice on uTorrent reads, “On June 6th, BitTorrent was made aware of a security issue involving the vendor which powers our forums.”
TorrentFreak said the forums have “tens of thousands of visitors per day and over 388,000 registered members.” The forum uses software by Invision Power Services; the same software “powers the separate BitTorrent forums,” but TF believed “the lack of security notice” on BitTorrent forums meant it “doesn’t appear to be compromised.”
However, Have I Been Pwned has a listing for 34,235 compromised BitTorrent accounts. It states that “the forum for the popular torrent software BitTorrent was hacked” in January 2016. “The IP.Board based forum stored passwords as weak SHA1 salted hashes and the breached data also included usernames, email and IP addresses.”
So far BitTorrent is not playing the name, shame game, as the company has not publicly indicated which vendor was originally hacked – other than “one of the vendor’s other clients.” The Have I Been Pwned notification pointedly names IP.Board.
uTorrent’s security advisory explained:
The vulnerability appears to have been through one of the vendor’s other clients, however it allowed attackers to access some information on other accounts.
As a result, attackers were able to download a list of our forum users. We are investigating further to learn if any other information was accessed. Our vendor has made backend changes so that the hashes in the file do not appear to be a usable attack vector.
Nevertheless, uTorrent advised users to change their passwords, to consider them compromised, as a precautionary measure.
While the passwords may not be used as a vector on the forums, those hashed passwords should be considered compromised. Anyone using the same password for forums as well as other places is strongly advised to update their passwords and/or practice good personal security practices.
The last part about changing the password for others places where the password was re-used cannot be stressed enough. Password reuse even came back to bite Mark Zuckerberg whose Twitter and Pinterest accounts were hijacked after his password was allegedly included the LinkedIn leak.
If the forums were hacked in January, then those passwords may have been floating around for some time now...