Predict your next investment


See what CB Insights has to offer

About phpBB

phpBB offers news, support, and downloads of the forum software, modifications, and templates of PHP.

phpBB Headquarter Location

P.O. Box 243

Harbinger, North Carolina, 27941,

United States

Latest phpBB News

XKCD Forum Goes Offline After Discovery of Data Leak Affecting 562K Members

Sep 3, 2019

shares XKCD forum, the bulletin board associated with the popular webcomic XKCD, has been taken offline after personal information of more than 562,000 members was exposed online. “We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection,” XKCD said in a notice. “It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software.” The exposed information — which was provided to HIBP by white hat security researcher and data analyst Adam Davies — included usernames, email addresses, hashed passwords, and in some cases an IP address from the time of registration. The comic created in 2005 by American author Randall Munroe goes by the tagline “a webcomic of romance, sarcasm, math, and language,” and often features mathematical, scientific, and pop-culture in-jokes. XKCD uses phpBB  — a free and open-source bulletin board software built in the PHP programming software — and according to Hunt, the passwords were hashed in MD5 phpBB3 format. New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned Hashing is the process of taking a plaintext user-provided password and converting it into a jumble of random characters by adding an optional salt string over several iterations that are then stored inside a database, without exposing the user’s real password. It’s a one-way encryption function. Although MD5 is still widely used, the password hashing scheme (along with SHA1) is considered “ cryptographically broken ” unlike stronger, newer alternatives like BCRYPT , SCRYPT, and Argon2 due to increased possibility of collision attacks — wherein two different plaintext messages produce the same hash value. It’s because of this reason that websites, web, mobile, and other applications must use a strong password hashing system to safeguard user data. If anything, the incident serves as yet another potent reminder as to why software needs to be constantly kept up-to-date, especially if they are from third-parties. Although phpBB migrated to BCRYPT with version 3.1 and later, it’s very much possible early users of the XKCD forum had their passwords hashed using MD5, which was the standard in phpBB before it was replaced with BCRYPT. Realistically, this could have been avoided if a hash upgrading scheme was in place to move users from MD5 to BCRYPT upon login. For now, the same rule of caution applies. In the event you turn out to be among those affected, immediately change your XKCD password, as well as any other accounts on which you used the same (or similar) password.

Predict your next investment

The CB Insights tech market intelligence platform analyzes millions of data points on venture capital, startups, patents , partnerships and news mentions to help you see tomorrow's opportunities, today.

phpBB Web Traffic

Page Views per User (PVPU)
Page Views per Million (PVPM)
Reach per Million (RPM)
CBI Logo

phpBB Rank

CB Insights uses Cookies

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.