Hackers posted names, e-mail addresses, message histories, and partially protected login credentials for more than 158,000 forum users of Boxee.tv, the Web-based television service that was acquired by Samsung last year, researchers said.

The breach occurred no later than last week, when a full copy of the purloined forum data became widely available, Scott A. McIntyre, a security researcher in Australia, told Ars. On Tuesday, officials from password management service LastPass began warning customers with e-mail addresses included in an 800 megabyte file that's still circulating online. The file contains personal data associated with 158,128 user accounts, about 172,000 e-mail addresses, and the cryptographically scrambled passwords that corresponded to those Boxee accounts, LastPass said. The dump also included a wealth of other details, such as user birth dates, IP addresses, site activity, full message histories, and password changes. All user messages sent through the service were included as part of the leak.

As Ars has explained before, even when passwords in hacked databases have been cryptographically hashed, most remain highly susceptible to cracking attacks that can reveal the plain-text characters required to access the account . The damage can be especially severe when people use the same or similar passwords to protect accounts on multiple sites, an extremely common practice.

"Please update the password for your boxee.tv account immediately," stated an e-mail LastPass sent to customers. "The LastPass Security Challenge, located in the Tools menu of the LastPass addon, will help find any other accounts using the same password as the leaked account."

The compromised data appears to cover only user data associated with Boxee.tv forums, not service accounts, McIntyre said. Boxee has issued no statement on the breech, and Ars has so far been unable to confirm with the company precisely which accounts are compromised. Have I been Pwned?, a reputable and secure service operated by Australian researcher Troy Hunt, has incorporated the dumped Boxee user data into its growing database. People who want to know if their personal data has been exposed online should check with this service. Ars readers who can provide clarification about precisely what Boxee accounts are and are not included in the dump are invited to do so in the comments section.

McIntyre said he acquired a copy of the enormous MySQL database last week and found entries known to belong to some of his company's clients in it. In addition to being further confirmed by Hunt and LastPass, the breach has also been documented here by the Risk Based Security blog. Curiously, the blog post included a screen shot claiming one of the compromised users was Brian Krebs, an investigative reporter covering security, hacking, and Internet crime. According to both McIntyre and a query on Have I Been Pwned?, Krebs' name and e-mail address aren't included in the leaked MySQL file. Still, the screenshot is evidence of a security breach affecting the Boxee.tv forums.