Through the attack, the attacker gained access to the following data:
Full name, e-mail address, encrypted password and any other data you have entered in your profile.
Are you serious that your forum stored encrypted passwords? That’s hard to believe. Passwords should be hashed, but not encrypted, because nobody has ever any need to decrypt the password - unless …
I want to ask exactly the same question, as I’m using Github logon service. In this case password should not be present at all in Owncloud central database. Or also Github password have been compromised ?
Thanks.
@stefanochiappin: correct. If you use an external service (GitHub, Facebook, Google etc.) for authentication, the only place where the login password (or a hash value derived from it) is stored is the external service provider itself. The local forum software (here: discourse) only exchanges encrypted token data with the remote auth service. The most popular example for this kind of “remote authentication” is the OAuth2 standard.
Are they salted also ? (i.e. that hashing twice the same password yields different results, and the use of rainbow tables is ineffective.)
It is unclear to me whether pbkdf2 incorporates a salt mechanism, or if the app developer has to manage the salt by himself.
Frédéric