Android forum MoDaCo hit by hackers leaving 880,000 users exposed
A UK-based forum dedicated to news and modification tips for the Android operating system has reportedly been breached, with nearly 800,000 usernames and passwords stolen by hackers.
The website in question, called MoDaCo, was breached in January this year by a cyberattack that exposed 879,703 subscriber records in total, according to Australian security researcher Troy Hunt. The compromised data included usernames, emails, IP addresses and salted passwords.
Hunt, who maintains a breach notification website called Have I Been Pwned, has obtained and uploaded a copy of the leaked dataset to his online service. Any MoDaCo users can now check if their personal credentials have been compromised.
According to the Have I Been Pwned Twitter account, 70% of the details were already on the website – likely due to username or password reuse from other online services recently hacked such as Myspace or LinkedIn.
Users of the Android forum quickly took to the website’s forum pages to complain about the security incident, especially the lack of notification from MoDaCo itself. Many of the commenters were simply looking for instructions about how to urgently delete their accounts.
“Now, these things happen and I have a pretty strong, unique password here (now changed again). But I’ve been back through Gmail and I see no email notification of this? Was there an alert sent out at the time? And shouldn’t the site have forced a password change on me when I logged in today, as I last updated the password in 2014,” wrote one user.
Another complained: “Why is this the first we’re hearing about it.” The founder of the website, Paul O’Brien, has indicated on social media the website is aware of the incident. “Haveibeenpwned is reporting a data breach. We’ll post a statement later today, however be assured all passwords are hashed and salted,” MoDaCo wrote in a statement then retweeted by O’Brien.
Mark James, an IT expert with security firm ESET, said: “This particular [data breach] is causing a bit of a storm on their own forums as the users would like to have received notification from the owners first not through a third party site.
“Looking through the forum posts many of the users have not used the site for a while and were looking for means to delete their accounts. This breach apparently happened in January 2016 but at least the passwords were stored as salted MD5 hashes and not in plaintext.”
In a statement posted to the forum, O’Brien said he was “disappointed” to confirm the data breach was legitimate and blamed the incident on a compromised administrator account.
He said: “We have taken action to prevent this vector being accessible in this way in the future, for us it is a lesson learned, albeit in a very difficult way to stomach. We are also liaising with the CMS provider to determine additional ways to mitigate similar attacks going forward.
“We think that passwords are well protected against unauthorised use, however a small amount of additional data (such as username and email address) are also included in the dump […] I offer my sincere apologies and ask for your understanding in this matter.”