Yesterday the Boxee.tv forums announced they had experienced an unauthorized breach, resulting in the loss of information for just over 158,000 user accounts.
Sometime around the latter half of last week an 800mb file went up on the open net, containing close to a quarter of a million user credentials. Some were full, others partial, but they contained everything from email accounts, to passwords, IP addresses, and even a few phone numbers here and there to boot.
For now the passwords associated with each account are still protected by a 256-bit AES encryption barrier, however even the most rudimentary of operations usually carry the kind of firepower necessary to crack through these types of files in a matter of days, if not hours at the more advanced end of the spectrum.
The password management software company LastPass was the first to pick up on the issue, warning users of their service that the file was still available for download, and if they had ever used the application to organize the passwords on their computer, they should change their info on Boxee’s website immediately.
“Please update the password for your boxee.tv account immediately,” stated an e-mail LastPass sent to customers. “The LastPass Security Challenge, located in the Tools menu of the LastPass addon, will help find any other accounts using the same password as the leaked account.”
This sentiment was quickly backed up by researchers at RiskBased Security on their official malware alert blog, where the exact specifics of the haul were laid out, analyzed, and confirmed by a team of security professionals who specialize in these types of break-ins.
To be clear, this heist in no way affects general users of the Boxee service (just purchased by Samsung last year), only those who had signed up and contributed to the online forums where technical issues and general information are discussed.