OpenWRT Forum hacked: user data stolen

[German]The OpenWRT forum of the community behind the open-source project for a router firmware has been hacked during last weekend. User data was stolen in this hack. This has just been announced by the OpenWRT forum operator.


Advertising

OpenWRT s an open source project that provides a Linux distribution for embedded systems such as home routers. OpenWRT is therefore often used in home routers to provide them with their own functions. OpenWRT has its own forum for the community, where almost every OpenWRT user is registered.

Admin account hacked

Over the weekend, a hacker appears to have succeeded in hacking a forum administrator's account and siphoning off user data. I became aware of the issue via media reports such as here and here, which was posted on the forum.

OpenWRT Forum Hack

The message from the forum operators states: 

Security notice – Site break-in on 16-Jan-2021

Around 0400 GMT on 16 Jan 2021, an administrator account on the OpenWrt forum (https://forum.openwrt.org) was breached. It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled.

The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum. Although we do not believe the intruder could download the database, from an abundance of caution, we are following the advice of the Discourse community and have reset all passwords on the Forum, and flushed any API keys.

  1. You will need to reset your password by MANUALLY typing the following link without spaces: https : // forum . openwrt . org
    Enter your user name, and follow the "get a new password" hint.

  2. You should assume that your email address and handle have been disclosed. That means you may get phishing emails that include your name. DO NOT click links, but instead manually type the URL of the forum as above.

  3. If you use Github login/OAuth key, you should reset/refresh it.

  4. OpenWrt forum credentials are entirely independent of the OpenWrt Wiki (https://openwrt.org). There is no reason to believe there has been any compromise to the Wiki credentials.

We apologize for the inconvenience caused by this attack. We will provide updates if we learn any more about the attacker or information that was disclosed.

On Saturday, January 16, 2021, an unauthorized person broke into an administrator account of the OpenWRT forum – exactly how is unknown. The account was not secured via two-factor authentication. The hacker was able to extract a copy of the user list including email addresses, as well as other account data. Currently, it is unclear whether the intruder managed to copy or dump the entire database. Forum operators are asking users to reset their forum passwords and flush API keys (e.g. reset an OAuth key) as a precaution.  


Advertising

The hack is likely to have captured many email addresses that will appear in future phishing emails and user databases. Affected users should therefore be doubly cautious in the future regarding mails that have anything to do with account clarifications etc. – it could be phishing. The fear: compromising the OpenWRT forum administrator account could be the first step to gaining access to the internal networks of many hardware and software development companies that build on OpenWRT.

The OpenWRT team strongly cautions forum users not to click on links in emails purporting to be from the OpenWRT domain. Instead, users should manually type the forum's URL (forum.openwrt.org) into their browser's address bar and access the forum that way. Are any of you affected by the hack? Was there any email notification there?


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.