Security vendor Avast took its community forum offline on Monday after hackers raided its user database.
In an attack on the Czech Republic-headquartered company’s forums over the weekend, hackers accessed nicknames, user names, email addresses, and hashed passwords, Avast CEO Vince Steckler said on the company’s blog.
The breach affected less than 0.2 percent — or roughly 400,000 — of Avast’s 200 million users, Steckler said, noting that the reason for its limited scope was that it only affected users of its community-support forum, which is run on an “isolated third-party system”. Accordingly, the most important customer data it holds — including payment, licence, and financial data — was not impacted.
“We realise that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you,” Steckler said.
While the passwords were stored as hashed values, Steckler advised that it was still possible for a sophisticated attacker to derive the plain text passwords, which could pose a risk to affected users that re-used the password from that forum on other sites.
“If you use the same password and user names to log into any other sites, please change those passwords immediately,” he warned.
Steckler didn’t say whether the passwords were given the additional protection applied by salting hashed passwords, or what algorithm it used.
The CEO said he didn’t understand exactly how the breach occurred, but appears to place responsibility for the incident on the platform.