|
|
|
|
|
|
by zaroth
3628 days ago
|
|
|
They used this access to download portions of the ‘user’ table which contained
usernames, email addresses and IPs for 2 million users. No active passwords were
accessed; the passwords stored in this table were random strings as the Ubuntu Forums
rely on Ubuntu Single Sign On for logins. The attacker did download these random
strings (which were hashed and salted).
Is that a session token they are talking about? What part of the OpenID protocol would involve saving a so-called "password" in the users table which is really just a "random string", but which was also hashed and salted?Ubuntuforums does use Ubuntu One for SSO, there should be no "passwords" at all in the table, so I'm not quite sure what to make of that paragraph. Typically session tokens are not salted and hashed, although you can actually do that do avoid having to revoke them after a breach. |
|
|