UPDATE -- The Pirate Bay announced on Friday that an attacker exploited a security hole in the peer-to-peer directory's blogging software to copy a list of the site's usernames and passwords.
The site, which allows visitors to search for files offered by members via a BitTorrent peer-to-peer network, currently has 1.4 million members that offer for download -- or "seed" -- various videos, audio and game files, many of them pirated. While site operator Peter Sunde, who uses the pseudonym "brokep," warned users to change their passwords, he also said that decrypting the password file will likely take a long time.
"We still prefer people to change their passwords from time to time," Sunde stated in response to comments left on the Pirate Bay's blog. "All the passwords are encrypted very hard, so (are) the emails and so on. As someone pointed out in on Digg, we've been through raids before, and we know that we want to protect the users."
The Pirate Bay is a well-known BitTorrent tracking site started by a Swedish anti-copyright organization in 2003, but became managed separately by "dedicated individuals" in October 2004, according to the site's published history. Swedish authorities raided the organizations servers, based in Stockholm, in May 2006, but the torrent tracker was back online three days later.
According to Sunde, some "kids" found an SQL injection vulnerability in the site's blog and used it to compromise the system. The Pirate Bay detected the attack, but Sunde would not give details about the intrusion. The site's operators also found that the attackers had submitted the file containing the account information back to the Pirate Bay's torrent tracker.
The operators of the site apologized on Friday for the security breach. "Sorry for the mess, but we are all human and we miss something sometimes," Sunde stated.
UPDATE: The article was updated at 11:30 a.m. PST with addition information provided by Peter Sunde, operator of The Pirate Bay, in an e-mail interview with SecurityFocus. The original article was posted at approximately 7 a.m. PST.
Posted by: Robert Lemos