XKCD forum, the account board associated with the accepted webcomic XKCD, has been taken offline after claimed advice of more than 562,000 associates was apparent online.

According to aegis researcher Troy Hunt, the breach occurred two months ago (on July 1 2019). The compromised data has been added to breach alerting site Have I Been Pwned (HIBP).

“We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection,” XKCD said in a notice. “It is likely that it was aggregate up in some automatic scan taking advantage of a vulnerability in the forum software.”

The apparent advice — which was provided to HIBP by white hat aegis researcher and data analyst Adam Davies — includes usernames, email addresses, hashed passwords, and in some cases an IP abode from the time of registration.

The comic created in 2005 by American author Randall Munroe goes by the tagline “a webcomic of romance, sarcasm, math, and language,” and often appearance mathematical, scientific, and pop-culture in-jokes.

XKCD uses phpBB, a free and open-source account board software built in the PHP programming software, and according to Hunt, the passwords were hashed in MD5 phpBB3 format.

Hashing is the action of taking a plaintext user-provided countersign and converting it into a jumble of random characters by adding an alternative salt string over several iterations that are then stored inside a database, after advertisement the user’s real password. It’s a one-way encryption function.

Although MD5 is still widely used, the countersign hashing scheme (along with SHA1) is advised “cryptographically broken” unlike stronger, newer alternatives like BCRYPT, SCRYPT, and Argon2 due to added achievability of blow attacks, wherein two altered plaintext letters aftermath the same hash value.

It’s because of this reason that websites, web, mobile, and other applications must use a strong countersign hashing system to aegis user data.

If anything, the adventure serves addition potent admonition as to why software needs to be updated, abnormally if they are from third-parties.

Although phpBB migrated to BCRYPT with adaptation 3.1 and later, it’s very much accessible early users of the XKCD forum had their passwords hashed using MD5, which was the accepted in phpBB before it was replaced with BCRYPT.

Realistically, this could have been abhorred if a hash advance scheme was in place to move users from MD5 to BCRYPT upon login.

Read next: Byte Me #7: TNW's Lady Bits has a new name!