Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

XKCD forum breach exposes details from over 560,000 user accounts

Hackers breached the forum of the popular webcomic.

XKCD, the sarcastic webcomic revered by science and tech geeks, is now the butt of someone else's joke. Hackers breached the forum of the 14-year old site, stealing over 560,000 usernames, emails, IP addresses and hashed passwords. Security researcher Troy Hunt, who owns the data breach website Have I Been Pwned, alerted the site's administrators over the weekend. Hunt was originally tipped off about the breach by white hat hacker Adam Davies.

XKCD promptly took down its forum, and posted a short message warning users to change their passwords -- as well as any similar passwords for other accounts. "The xkcd forums are currently offline. We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration. We've taken the forums offline until we can go over them and make sure they're secure. If you're an forums user, you should immediately change your password for any other accounts on which you used the same or a similar password," wrote XKCD.

Hunt noted that the webcomic's forum uses phpBB, a free and open-source bulletin board widely used across the web, and that 58 percent of the IP addresses stolen already appeared on HIBP's database. As ThreatPost explained, phpBB and other DIY platforms are a popular choice for fan forums within the gaming community and are often vulnerable to attacks due to being poorly maintained. Still, it's unclear whether XKCD's forum was running an older version of phpBB. Engadget has reached out to XKCD for comment, and will update if we hear back.