vBulletin Website Hacked: Patches For Their Forum Software Released
The popular bulletin board software vBulletin has experienced a hack. Both their website and their software have been breached by attackers who have made off with username, password, security questions and salted passwords.
According to Naked Security –
Following claims, nay, boasts, of an attack on Sunday evening, the software developer moved quickly to negate the effects of the hack by releasing a series of security patches on Monday, saying:
A security issue has been reported to us that affects the versions of vBulletin listed here: 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8 and 5.1.9 We have released security patches to account for this issue. It is recommended that all users update as soon as possible.
That was in response to a hacker going by the name of “Coldzer0” who bragged about his alleged exploits on various web forums, as well as social media. He also uploaded a Youtube video and posted data on Facebook, both of which have since been deleted.
Additionally, in a post co-authored with @Cyber_War_News, he also claimed to have compromised the forums for Foxit Software, using the exact same vulnerability. He says he obtained information from more than 260,000 of Foxit’s 537,000 user accounts, telling @Cyber_War_News that he thought it strange his hacking attempts were not detected.
All in, Coldzer0, is believed to have made off with personal data belonging to some 479,895 users from the two attacks.
According to databreaches.net, Coldzer0 swiped user ids, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords.
While it is not yet clear how the hack took place, Coldzer0 claims he exploited a zero-day vulnerability affecting vBulletin.com, a possibility lent some credence by a report from the Register which offers up links to a couple of tweets which appear to confirm as much.
In addition to the security patches, vBulletin has also taken the additional step of enforcing a password change upon all of its users, using a post on its own forum to announce the global reset request:
We take your security and privacy very seriously. Very recently, our security team discovered a sophisticated attack on our network. Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.
We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect your account.
If you think that message looks familiar, you’d be spot on – it’s almost a carbon copy of what Paul Ducklin described as “that verbiage trap” when covering a very similar breach at vBulletin in November 2013.
How to pick a proper password: