XKCD Forum Breach Exposes Emails, Passwords of 562,000 Users

The forums of the XKCD webcomic created by Randall Munroe in 2005 are currently offline after being impacted by a data breach which exposed the information of 561,991 users on July 1.

The compromised user information including usernames, emails, and IP addresses, as well as hashed and salted passwords stored in MD5 phpBB3 format, was added to Have I Been Pwned's database on September 1, after being provided by security researcher and data analyst Adam Davies.

As Have I Been Pwned said in a tweet, 58% of addresses part of this data breach have already been added to the platform's database as part of previous database dumps.

"The xkcd forums are currently offline. We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection," states the breach notification displayed as part of a 503 Service Unavailable HTTP status code.

"The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration."

"We’ve taken the forums offline until we can go over them and make sure they're secure," the data breach alert also says.

Measures XKCD forum users should take

XKCD users who want to know if they have been affected by this breach can enter their emails into https://haveibeenpwned.com/ to get a report if their info has been found in any breaches previously added to the platform, including the XKCD forums one.

Since the database dump was already leaked online according to the breach notification, the users' account credentials might be used in future credential stuffing attacks.

This type of attacks enables attackers to use credentials compiled from data leaks from other companies' data breaches to hack into accounts registered on other sites.

Credential stuffing is the perfect method for compromising accounts of users who reuse the same password for multiple online services. Therefore, using unique passwords for all your accounts is the best protection against such attacks.

If you are an XKCD forum user and you use the now leaked password with accounts registered on other sites, you should change to a new one on all other sites. By not doing so, you risk having all those other accounts compromised in the event of future attacks.

"If you're an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password," also states the XKCD breach notification.