The security breach occurred two months ago, according to security researcher Troy Hunt who alerted the company of the incident, with unknown hackers stealing around 562,000 usernames, email and IP addresses, as well as hashed passwords.
However, the leaked data was actually discovered by security researcher and data analyst Adam Davies, who shared a copy of it with Hunt.
At the time of writing, XKCD has taken down its forum and posted a short notice on its homepage, as shared below, urging its users to change their passwords immediately.
"The xkcd forums are currently offline. We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases, an IP address from the time of registration."
"We've taken the forums offline until we can go over them and make sure they're secure. If you're an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password."
The forum administrators are also notifying affected users via email.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
As mentioned, XKCD uses phpBB, a free and open-source forum and bulletin board software built in the PHP programming software.
However, at this moment it's unclear if XKCD was using an older version of the forum software vulnerable to a security flaw or the attackers exploited any previously undiscovered flaw in phpBB to extract the data unauthorisedly.
Besides this, even if XKCD was running over phpBB version 3.1 and later, which uses more secure BCRYPT hashing algorithm, it's possible that the passwords for early users of the XKCD forum were encrypted via the older, less secure MD5 hashing method.
What you can do now: affected users are strongly advised to immediately change their XKCD password, as well as passwords for any other online accounts which re-use the same password.
Created in 2005 by American author Randall Munroe, XKCD is a popular webcomic that focuses on tech, science, and internet culture, with its subject matter varies from statements on life and love to mathematical, programming, and scientific in-jokes.