Following a security breach in the Forum Runner extension for vBulletin, hackers managed to recover a copy of the UbuntuForums.org database. Around 2 million usernames and associated email addresses were stolen, but no passwords.
Registered users of Ubuntu support forums should be particularly vigilant after the incursion into the UbuntuForums.org database containing no less than 2 million email addresses and associated usernames. Canonical announced the breach on Friday, after being alerted by someone who said they had the database. An investigation revealed that the attacker gained access to the recordings through a vulnerability.
The SQL injection flaw was in the Forum Runner extension for vBulletin, the commercial forum software that is used by more than 100,000 community websites on the web and especially by popular companies. The vulnerability was known, but Canonical’s security team was unable to release a patch soon enough. “The attacker had the ability to inject lines of formatted SQL code into the forum server databases,” Canonical’s security team said. “It allowed them to read any table, but we think they could only access the users table.” The users table contains names of subscribers, emails and IP addresses relating to 2 million people. However, it does not contain clear user passwords, just bits used by Ubuntu’s SSO service, which does not allow access to user accounts.
Waves of spam and phishing in perspective
As a precaution, to ensure that no malicious code was left behind after this attack, Canonical temporarily shut down the site, totally reset its host servers and installed the most up-to-date version of vBulletin and reset all system passwords and databases. The company is certain that the attacker was not able to access any code files and update mechanisms, not only to obtain write permissions on the Ubuntu Forums database, to access in shell command to servers or wreak havoc in other Canonical or Ubuntu services.
Although there is no immediate danger to Ubuntu Forums accounts, users could be targeted by waves of spam and phishing attempts to trick them into visiting malicious sites or downloading malware. Often, waves of such attacks are recorded after the mass theft of personal data. The Ubuntu forums are not the first sites running on vBulletin to have been compromised. This was for example the case in 2013 with MacRumors.com. Site administrators should always do what is necessary to keep their content management system up to date, including add-ons, themes and components provided by third parties and implemented in their CMS.