Security company Avast suffers embarrassing forum hack

Getting hacked is embarrassing enough when you’re a high-profile web firm like eBay(s ebaY), but infinitely more so when you’re actually in the security business. So it’s red cheeks all around over at the offices of Avast, the Czech antivirus vendor.

The integral systems of Avast, a billion-dollar company, were not themselves hacked – rather, some miscreants broke into the firm’s online forum over the weekend, according to a blog post on Monday from CEO Vince Steckler. Nonetheless, the names, email addresses and encrypted passwords of up to 400,000 users (0.2 percent of Avast’s total user base) were siphoned off.

The passwords were hashed, but Steckler warned that “it could be possible for a sophisticated thief to derive many of the passwords” anyway. Echoing last week’s eBay debacle, Steckler advised users of the forum to change their passwords on other sites, if they use them across multiple services.

As Steckler noted, Avast’s forum was running on third-party software — Simple Machines Forum (SMF), to be precise — that it will now be abandoning. Some observers have theorized that the company may not have kept the forum software up-to-date, but Avast told me by email that this was not necessarily the cause:

“The forum was running SMF version 2.0.6. The latest version is SMF 2.0.7 but according to the SMF change log (and the announcements on the SMF web site) there were no security-related updates included in this version. It is not clear whether the attack was conducted via a 0-day vulnerability or a hole that was silently fixed in v2.0.7 but never announced.”

Alternatively, it could be that a site admin got suckered by a dodgy email. Either way, it’s a mortifying episode for a security vendor, and a good reminder for the rest of us that very little out there is truly secure.