In June, the uTorrent team issued a security alert advising forum members to change their passwords after a database breach. No follow-up information had been made available since the alert. The breach had been forgotten about, for the most part.
As of early September, that data breach has come back around to haunt uTorrent users. Nearly 400,000 uTorrent accounts just became available for purchase on TheRealDeal marketplace.
The database obtained during the initial breach is being sold by a user named “doubleflag” for $600. Doubleflag’s listing contains emails and passwords for 394,769 uTorrent forum users. “Out of a total of 394,769 accounts, some passwords are encrypted with Secure Hash Algorithm 1 (SHA-1) and some with the weak MD5 hashes,” HackRead reports.
TorrentFreak points out that doubleflag claims the data was obtained from uTorrent in January 2016. The security alert from uTorrent
did not come until nearly six months later. Although some of the numbers are incorrect, Haveibeenpwned.com also indicates the data was leaked in January. uTorrent did not explicitly say that data had been stolen in June. However, they failed to mention it had been stolen six months prior the the alert.
uTorrent’s 06/07/2016 “Important Security Advisory” announcement:
On June 6th, 2016, BitTorrent was made aware of a security issue involving the vendor which powers our forums.
The vulnerability appears to have been through one of the vendor’s other clients, however it allowed attackers to access some information on other accounts.
As a result, attackers were able to download a list of our forum users. We are investigating further to learn if any other information was accessed.Our vendor has made backend changes so that the hashes in the file do not appear to be a usable attack vector.
As a precaution, we are advising our users to change their passwords. While the passwords may not be used as a vector on the forums, those hashed passwords should be considered compromised. Anyone using the same password for forums as well as other places is strongly advised to update their passwords and/or practice good personal security practices.
Not much can be done if you happen to be one of the unlucky member of the $600 data breach. If the same password was used across multiple sites, now would be a wise time to change them. As the ill-timed security alert from uTorrent points out, “…practice good personal security practices.”