>The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.<p>Translation: the passwords were stored using dumb MD5/SHA1. Seriously, it's 2013, why can't 99% of the web get their act together when it comes to password hashing?
This is how much effort it takes to have a BCrypt (strong, slow, salted hash) database user system in Spring (not that they used Spring):<p><pre><code> <http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
<beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" />
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource" />
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</code></pre>
StackExchange's AskUbuntu.com is pretty good, as you can use OpenId, and if someone (illegally) hacks Google we are all fucked anways.
ubuntuforums.org timing out as of now but are we sure this is a malicious attack and not simply downtime?<p>If it is an attack, it just means a time bandit for the admins I suppose...
So are they going to email their user base to warn them to change their passwords? I thought I had an account at some point and I didn't get an email.