Cyber Incident Victim: XKCD Forums

The XKCD forums, associated with the webcomic created by Randall Munroe, experienced a data breach on or around July 1, 2019, resulting in the exposure of sensitive user information. The compromised data included usernames, email addresses, IP addresses from registration, and passwords stored as MD5 hashes with salts in the phpBB3 format. Security researcher Adam Davies identified the leaked dataset and provided it to Have I Been Pwned (HIBP), which added the records of 561,991 affected users to its breach notification service on September 1, 2019. Forum administrators confirmed the incident publicly by September 3, replacing the forum homepage with a breach notification and HTTP 503 Service Unavailable error message. The notification explicitly stated that portions of the PHPBB user table had appeared in a leaked data collection.

In response to the breach, XKCD forum administrators took the entire platform offline indefinitely to conduct security reviews and ensure system integrity before restoring access. The breach notification advised users to check their exposure status via HIBP and emphasized the risk of credential stuffing attacks due to password reuse across multiple services. While no evidence of active exploitation was confirmed in the notification, the public availability of the hashed passwords necessitated warnings about changing reused credentials on other platforms. The incident directly impacted over half a million users, with compromised data elements capable of facilitating targeted phishing campaigns or brute-force attacks against weakly hashed passwords. The forums remained inaccessible as of the last public update, with no specified timeline for restoration provided in the source material.