Share this Story

AOKP Forum Infected With Malware, All Usernames and Passwords Compromised

Oh, the Internet. It’s a fun and beautiful place for the most part, but sometimes, it can be a real pain in the ass. Unfortunately for our friends in the Android Open Kang Project, their forum (aokpDOTco) has come down with an illness, malware to be exact, and all of their user’s usernames and passwords have been compromised. AOKP’s founder, Roman, took to Google+ to break the bad news and to advise people who signed up that this would be a good time to change up your passwords. 

Fans of AOKP,

Yesterday we got reports of http://aokp.co being infected with malware. We did some investigation and it looks like our site did get compromised by some sort of malware.

All usernames and passwords were compromised.

Yes, this sucks, and I take 100% of the responsibility for what happened. I am very sorry to everyone who registered on the site. The silver lining of the event is that site registrations have been closed for many months as it is, and we’ve been using RootzWiki as our main “forum.” I will see what I can do about sending an email to all of the registered users and notify them of the incident.

It looks like only the actual site (http://aokp.co) was affected – gerrit and everything else was untouched. I’ve taken the site down completely for now. You can still get your builds from AndroTransfer or Goo-Inside.me.

Please please please change your passwords and remember to keep your email password just a little more secure! If you used the same email/password combo elsewhere, now would be the time to go and change it as well.


***Note: no, the passwords were not stored in plaintext

AOKP has made RootzWiki their homebase for a while now, but still, this is never a fun thing to happen.

Via: Google+

  • Ashley from Dashlane here. I see one of our awesome users already told you about Dashlane. We’re running a promo today for Android fans on Reddit: Dashlane Premium for a year ($39.99 value) totally free! And now Droidlifers! Details here: http://www.reddit.com/r/Android/comments/136t69/dashlane_premium_android_for_redditors_only/

  • Andrew

    Dang that sucks… Times like this make me glad I started using a program like Dashlane (http://u4s.us/sDTw) to manage all my online passwords and help me keep them unique so the possibility of one getting comprimised won’t make me have to change a ton of logins.

  • hahahaa

    the message is funny but that really sucks

  • brkshr

    Conspiracy theory alert: I find it interesting that this happened shortly after Team AOKP & Team CM got into a couple spats online…..

  • Guess their swagger didn’t help them.

  • Stewie

    The awesome power of the horn was no match for porn, er, uh, malware ….

  • This speaks volumes about the security of the actual OS project.

    • normmcgarry

      Open Source Android security vs Open Source Bulletin Board software security? No, I’m afraid those do not speak to one another at all.

  • I didn’t know they had a forum. Yay me.

  • Will the Kangerator app still work for new releases?

    • chrismcconkey

      I have never used it before but I downloaded it and it is crashing on launch.

  • We need a new solution to the classic username/password system. This is getting a bit ridiculous with every single website out there requiring some unique username and password, each with a different password policy and the fact that you’re supposed to use a different username and password combination for every website.
    It seems every other month another website is hacked and user credentials are stolen.

    The system can no longer be sustained. We need a fix.

    • Got any propositions?

      • David Hussey

        Make everything a Facebook Login! I love that! /s

        • It’s a sad truth. Using the single login scheme does require that you be logged into a different site, adding a level of complexity. Just sucks that the one site is Facebook.

          • Not really, Twitter and Google accounts also support OAuth and identity management via that.

          • Evan Wickes

            google isnt so safe. my account was hacked & i’m far from a grandma surfing the web. also google spends thousands of $$$ blocking attacks from china. altho i use google day-in day-out, i dont think they are the solution unless u use the 2 step authentication.

          • raoul duke

            2 step is where its at.

        • JulianZHuang

          super easy and hassle free of opening a new account.

        • Instagram login.

        • Justin W

          I’d much rather prefer Gmail Login over the current system. That way, no individual site would have that information.

          • SamsungFTW

            Those are all decent ideas but also dependant on using a particular subscription service. Using a supscription service (such as facebook) sometimes comes with unwanted notification emails and other hassels. Sure you could turn them off, but I think it would be much simpler to have a universal password service that is dedicated to that and only that. After setting it up once, you would log in to everything with that and could set your browser to use it to log in to all websites automatically if you choose, or optionally do that and have the browser ask for it once when you open it. Since it would be integrated into the browser, websites would not even ask you for that information and you would no longer see log in screens. Lastpass does something similar, but it would be nice rather than storing other passwords just having one unified password that is used everywhere.

            The catch is that it would have to be very complex and well guarded, heavily encrypted and not shared with anyone because if someone got it that would mean trouble.

          • Justin W

            This reminds me of what Chrome does for all Google sites. That would make life a breeze, but Chrome doesn’t (as far as I’m aware of or cared to look) offer any real security features to prevent others from using my info without my permission.

    • Iceman0803
  • realfoxm

    Its pretty safe to say that the majority if us may not have ever registered at the site as the forum link redirected us to Roots Wiki for many months.

  • If the passwords weren’t stored in plaintext, then how were they compromised????

    • What I’m implying here, is plaintext or not, AOKP was doing something very wrong in storing user credentials.

    • brkshr

      AOKP reiterated later that the passwords should not have been compromised. They still thought it was best to let everyone know.

  • Verizon

    I’m going to go on the record and say that that isn’t good.

    • Jack Witherell

      none of this would have happened if you had just given us gnex owners jellybean!!!

      • Verizon

        See, once I release that then everyone will have time to notice the reception problems. This way you are all too focused on the update and don’t even notice the reception problems.

        The next comment will be, “What reception problems?” to which I will reply, “Exactly!”

  • Bionic

    wow that sucks

    • Verizon

      Who the hell down voted your comment?

      • Bionic

        A holes who dont like me

        • Verizon

          Well, the world is full of idiots.

          • Fatty Bunter

            I agreed with your first comment, but honestly it got pretty funny by the end that all of them had a downvote. Congrats anonymous troll.

        • michael arazan

          I’m guessing the person(S) who infected the aokp in the first place voted him down

    • Simon Belmont

      I just upvoted it to balance it out. I hope that helps.

      Mostly because I agree. Yay.

      • Jack Witherell

        Who dafuq downvoted YOU?!?