Ars Staff report:
At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core. That song, “All the Things,” features the chorus:
Drink all the booze,
hack all the things!The hacker didn’t have long to drink all the booze and hack all the things, fortunately; by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further.
Log files show the hacker’s movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters).
Read more on Ars Technica. The comments section under their post is actually pretty interesting as it discusses whether Ars’ security was good enough.
MD5 would not be my choice, but 2K rounds with unique salt is actually better than many of the other breaches we’ve seen. Should give one more than enough time to reset one’s password, as this setup with a just a reasonable (let alone “good”) password would still require a hacker with strong cracking machines multiple days to crack most of them.