Hey folks, some of you received this email today, this is our blog post with all the details as well.
tl;dr (too long, did not read)
We’re asking certain Adafruit user accounts from 2014 and before to reset their passwords as an added security precaution.
Tell me more
We’ve recently become aware of a vulnerability in our legacy authentication system that could have enabled malicious attackers to access information from certain user accounts created in 2014 and before.
The vulnerability could have allowed an intruder to have had access to some usernames, some email addresses, and some hashed passwords from these older forum accounts. We do not believe this issue affected Adafruit store accounts or payment or billing information (Adafruit does not store credit cards, only authorizations). The issue was disclosed by a security researcher as part of a vulnerability disclosure. Following disclosure of the issue, the researcher confirmed user information to demonstrate the vulnerability. We have no reason to believe that any user information was used for fraudulent purposes.
The vulnerability in question involved taking advantage of a weakness in the Adafruit Job Board, a public job offerings forum on the Adafruit website. The Adafruit Job Board did not store resumes or any additional information other than the content of its users’ public posts. From there, an attacker could take steps to gain unauthorized access to user information in our customer support forums: usernames, emails and hashed passwords from older forum accounts. After conducting a thorough internal investigation that included review of our logs, we found no evidence of any other party that might have taken advantage of this vulnerability. We are also currently unaware of any actual misuse of user information.
Although we currently hash all user passwords using bcrypt in an effort to prevent malicious attackers from misusing passwords, certain older passwords that had not been updated since 2014 were hashed using the less robust MD5. Even if you did not use the Adafruit Forums, an account may have been created when you signed up.
To err on the side of caution, we have set up a process to help automatically reset any MD5-hashed passwords that may have been implicated by the vulnerability. When you log in to your account, you will receive a prompt instructing you to create a new password. If you do not receive a prompt, we do not believe your account was affected. However, you can always reset your password by logging into your account, navigating to the account settings page, and following the directions there for changing your password. If you use your Adafruit Customer Support Forums password for any other site, we also recommend resetting your password for those sites. We encourage you to use strong passwords and to not to reuse passwords on other sites.
As a reminder, for your security, we will never send you a link to reset your password as part of a security alert and our customer support team will never contact you asking for your password. If you receive an email of this nature, or otherwise suspect that someone is attempting to gain access to your account or solicit your personal information, or have any other questions about this process, please contact us at [email protected]
We would also like to thank all individuals who have and will contribute to the security of our users by disclosing vulnerabilities to us responsibly (https://www.adafruit.com/reportingsecurityissues).
We apologize for the disruption and the extra work this requires from you for these added security measures.
Phillip Torrone, Managing Director & Limor “Ladyada” Fried, founder and the Adafruit team – Adafruit, 150 Varick Street, NY, NY 10013