If you are a homebrew developer then you're most likely familiar with devkitPro, the cross-compiler toolchain used to build virtually all homebrew projects for most of major home consoles out there. However, if you had registered an account on their forums you may want to take immediate action to protect yourself, as today their forums were hacked and suffered a data breach.

At around 5:27 AM (UTC) devkitPro admins alerted their users that an unknown individual managed to gain access to the forum's phpbb3 database, which was later stolen and vandalized. The database also contained the user's login credentials which were salted and hashed, so while they are not immediately accessible to the attacker, they are still vulnerable to other types of attacks. As such, it's highly recommended to change your passwords if you had registered an account on their forums and you reused the same one for other accounts.

In addition, the admins stated that their only working database backup is from 2017 so the forums were temporarily closed and are still down at the time of writing. It's currently unknown when they will become accessible again.

Source

[UPDATE 8/2/19]: The forums are now back up.

[UPDATE 2 9/2/19]: The forum's stolen database has been posted publicly on Pastebin and Anonfiles. Again, if you haven't changed your own passwords already, do so now!

 

[RattletraPM]

https://devkitpro.org/viewtopic.php?f=13&t=8846

They're back.

Remember, keep your passwords long and strong!

1093688602784092161

I had updated the OP not too long ago but I didn't think about posting something here ^^"

Anyways, now that the DKP forums are back up, keep in mind you will need to reset your password before you can log in if you have an account there.

WinterMute also said the attacker was able to get his account's password from the database leak even if it was salted & hashed because it was a weak one, which he also used on other accounts that later got compromised. So again, if you didn't change your passwords at first, you should definitely do it now.

 

[RattletraPM]

Here's another update, however this time it's bad news.

The stolen database has been posted publicly on Pastebin and Anonfiles. This makes a bad situation even worse as, while the passwords are hashed & salted, they are still succeptible to attack (as already said) and now anyone can try to get a hold of them.

Again, if you haven't changed your passwords, do so now.

 

[Ev1l0rd]

The stolen database has turned up in dumps on https://t.co/AUxJoDAHev and anonfiles. Please change your passwords and spread the word.https://t.co/LBjDNYgMKr

— devkitPro (@devkitPro) February 9, 2019

@RattletraPM source for that btw

 

[jme2712]

looks like something is going on again. smh

 

[FMCore]

Regrouping due to cyberbullying & general lack of support.

Messages of support and offers of assistance to [email protected]

 

[WhoAmI?]

Passwords were hashed and salted, but if they know the salt used, they can use rainbow tables to try and get passwords. If they got the database, they'll more than likely have the salt.

PHPBB3 stores passwords in such a manner that they are immune to a rainbow table attack. They can only be brute-forced. Here is a few examples of a PHPBB3 hashed password:

$H$9zC1mTWR6oXe.wtvnDtIUVix3xHtyu/
$H$9AsL1nf35AOHW0vMlwYtOyKTzbb4NK.
$H$9fZsKRl/DJsg3xu380hJzUulhG5Nkv1
$H$9MUoBGW7ptUqLD8U1wpofrLdXokqmK1
$H$9mZqBUTmT9X5cU.05PiKwS27GXPijZ.
$H$9SxxbQqEBI5B9zq7sfXknXrN5cTHlZ.
$H$9w5.kGES7DcwDMEZX13u7p7lHGimfx/
$H$9gsSWElJHEa0Z7AZB1/TtI7qa0gKfn/
$H$9N877HOHCbmFgWLnmlsCV/IjCMfyKU/
$H$9WEV/xatRmMsljKmXUjrtt1gSuNRcu1

Already knowing the salt isn't going to mean they can use a rainbow table attack. The hashing algorithm is designed to prevent such thing, and so does salting. Rainbow table attacks are purely used to get the plain-text of already known hash values AFAIK.

Simply passing those hashes to a program such as hashcat and using a wordlist is all an attacker needs to do. Maybe add a few rules or use a mask attack to brute-force some of the harder passwords, etc. A modern high-end gaming rig can easily brute-force those hashes without the need of rainbow tables.