Anti-virus firm Avast Software has taken its user support forum offline after hackers broke into the system at the weekend and compromised around 400,000 of its registered users.
In a post on the site, the firm said that the attack affected data such as “user nicknames, user names, email addresses and hashed (one-way encrypted) passwords,” and that users would be asked to reset their logins as soon as the site returned.
“This issue only affects our community-support forum. Less than 0.2% of our 200 million users were affected. No payment, license, or financial systems or other data was compromised,” the notification said, downplaying the incident.
Although the data accessed by the attackers is not of the same value as the sensitive information stolen during the recent eBay attack, any kind of hack is embarrassing for a firm that trades on its security competence.
Avast is, after all, the number one antivirus client in the world according to most maket share reports, albeit than a large number use the free version.
“We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure,” said Avast, which added that the compromised support forum had been hosted on a third-party site.
“We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.”
Attacks of this kind are always jumped on as a reason for more sites to start using two-factor authentication. This is true but that sort of technology adds cost that probably couldn’t be justified for every site. A better option is simply to use a system that at least imposes some form of password discipline on its users.
Avast doesn’t appear to have offered features such as minimum complexity for passwords which would make brute forcing of trivial passwords impossible.
It's not the first embarrassment for Avast. In 2012, the firm had to ditch its Indian support firm that allegedly claimed PCs were suffering technical problems that required a paid service.