Pirates' favorite birds might be parrots, but today Avast is eating crow. The Prague, Czech Republic-based antivirus maker suffered a security breach in its community-support forum over the weekend, resulting in leaked user names, email addresses and scrambled passwords for almost 400,000 of its forum users.
Avast has now taken its forum offline. When the forum comes back online, users will be required to change their passwords. AVAST users who were not registered members of the support forum do not appear to be affected.
It's not yet clear how the attackers breached the forum, but no financial data was stolen in the breach, said AVAST CEO Vincent Steckler in a post on the company website. Steckler said that the compromised users made up less than 0.2 percent of AVAST's 200 million worldwide users.
The stolen passwords were scrambled using a mathematical method called one-way hashing, and as a result should look like a jumbled string of letters and numbers. However, hashes often have a discernible pattern that echoes the original password, so Steckler said that "it could be possible for a sophisticated thief to derive many of the passwords."
(It also matters which algorithm was used to hash the passwords, and whether the algorithm was "salted" with random data; Steckler did not mention either parameter.)
This is yet another example of why it's important to pick strong passwords that don't mirror "dictionary" words; it's much easier to match a real word than a seemingly random string with a hash.
Any registered Avast forum user who used the same email address and password on other accounts should change his or her password on those accounts immediately.
Steckler says the community support forum is now being moved to a different software platform, where it will be "faster and more secure." Previously, a third-party platform had hosted the forum.