Another 1,500 passwords were protected with the default WordPress hashing function and also salted.
Of the 16,500 leaked accounts, around 2,000 didn’t store password data because users employed a federated login system.
It’s the same hacker that stole over $300,000 from investor Bo Shen
The Ethereum Project said the hacker reached out and revealed he was the same person who stole 110,000 Augur cryptocurrency (around $300,000) and an undisclosed amount of Ether funds from renowned cryptocurrency investor, Bo Shen.
The tactics used for both hacks are similar because the attacker also used social engineering to take control of Shen’s phone number and access his cryptocurrency wallets.
In the aftermath of the hack, the Ethereum Project has now reset all forum passwords and is in the process of sending email notifications to all of the users whose data was exposed.
Furthermore, developers are also removing recovery phone numbers from accounts in order to prevent future similar incidents.
Ethereum Project volunteers stolen data to Have I Been Pwned
The Ethereum Project has also reached out to the Have I Been Pwned? service and supplied a copy of the data they believe it was stolen, so users can use the site to find out if their account details have been exposed.
Bleeping Computer has reached out to Troy Hunt, the man behind Have I Been Pwned service. At the time of publishing, according to Hunt, the Ethereum forum data is not yet loaded in the Have I Been Pwned search index.
“I expect I’ll have the Ethreum [sic] data up tomorrow [December 21],” said Hunt, who is also preparing a blog post with more details on the incident.
“This is only the second time a hacked site has self-contributed, they deserve a lot of credit for owning the incident in this fashion,” Hunt also added.
The first company that sent their own data to Have I Been Pwned is TruckersMP, a company that makes trucking simulator games.
Password reset is crucial
Breaking bcrypt-hashed passwords is extremely resource-intensive and time-consuming, but not impossible. If Ethereum users have reused their forum password for more sensitive accounts, such as Ether wallets, it is highly recommended they change it immediately.
The attacker may not be able to break the passwords for all stolen accounts in the following months, but he may be able to cherry-pick the accounts of importance in the Ethereum network, or of users he suspects are in possession of large Ether funds.