Antivirus firm Avast hacked, 400,000 passwords stolen

The Avast forums have been hauled offline with the antivirus company confirming that hackers had nabbed around 400,000 user email addresses and passwords.

Avast said the attack happened over the weekend with hackers making away with nicknames, usernames, email addresses and hashed passwords. It confirmed that 0.2 per cent of its 200m forum users were affected, or around 400,000 people.

“Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords,” said Avast CEO Vince Steckler.

Anyone who uses their Avast forums password on other websites should change it immediately. Avast said that all users will be required to change their passwords when the forums go back online.

“We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure,” Steckler said, adding that Avast wasn’t yet sure how hackers breached the forum’s security.

The company said the forum was hosted on third-party software and said that other personal and sensitive information held by Avast remained secure.

According to a Google cache of Avast’s forum taken on 24 May the company was using the 2012 version of Simple Machines’ forum software.

Security expert Graham Cluley said that Avast had done the right to act quickly once it discovered the breach:

“To Avast’s credit, it does appear to have promptly responded to the attack, shutting the forum and emailing users who might be affected by the security breach. Compare that to eBay’s recently exposed tardy efforts in response to its own hacking attack,” he said.