Hacking XKCD Web Comic Forums Affected 562,000 Users

The forums of the popular XKCD web comic, created by artist Randall Munroe back in 2005, have been hacked and are currently disabled until the developers are again confident in their safety.

As a result of the incident, which occurred as early as the beginning of July 2019, the data of 561,991 users was compromised.

It became known about the incident when the database that leaked to the Internet was added to Have I Been Pwned, and the information security expert and analyst Adam Davis, the first to notice a compromise, provided a dump to the resource.

According to the leak aggregator, 58% of the email addresses from this dump previously appeared in the base of the platform, as they were already part of other leaks. The compromised database contained usernames, email addresses, IP addresses, as well as hashed and salted passwords stored in MD5 phpBB3 format.

“New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned”, — reported Troy Hunt, owner of the Have I Been Pwned website.

Troy Hunt
Troy Hunt

Read also: Media: discovered by Google iPhone hackers also attacked Android and Windows users

It is strongly recommended that all affected users change their passwords if they used the same or similar passwords for different accounts, since the XKCD forums dump has already been leaked to the public.

“XKCD forums are currently disabled. We were warned that some of the phpBB database tables with a list of users were detected in the leak. This data includes usernames, email addresses, hashed passwords, in some cases IP addresses from the moment of registration. Forums will be offline until we make sure of security. If you are a user of, you should immediately change the password for other accounts with similar passwords”, – XKCD employees said.

It is still unclear exactly how the compromise occurred, whether for it is responsible the old version of phpBB, or whether the attackers hacked the forums in some other way.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button