Hackers posted names, e-mail addresses, message histories, and partially protected login credentials for more than 158,000 forum users of Boxee.tv, the Web-based television service that was acquired by Samsung last year, researchers said.
The breach occurred no later than last week, when a full copy of the purloined forum data became widely available, Scott A. McIntyre, a security researcher in Australia, told Ars. On Tuesday, officials from password management service LastPass began warning customers with e-mail addresses included in an 800 megabyte file that's still circulating online. The file contains personal data associated with 158,128 user accounts, about 172,000 e-mail addresses, and the cryptographically scrambled passwords that corresponded to those Boxee accounts, LastPass said. The dump also included a wealth of other details, such as user birth dates, IP addresses, site activity, full message histories, and password changes. All user messages sent through the service were included as part of the leak.
As Ars has explained before, even when passwords in hacked databases have been cryptographically hashed, most remain highly susceptible to cracking attacks that can reveal the plain-text characters required to access the account. The damage can be especially severe when people use the same or similar passwords to protect accounts on multiple sites, an extremely common practice.