The official website of vBulletin.com forum software has hit the big red password reset following a breach by hackers that exposed the IDs of hundreds of thousands of users.
A hacker claimed the had made off with a combined 480,000 records after an attack that led to the defacement of the vBulletin.com and a reported hack against Foxit Software’s forum, both supposedly pulled off using the same zero-day vulnerability.
vBulletin.com was taken down for maintenance of the immediate aftermath of the attack, which took place on Saturday, 31 October (Halloween, ooooh).
vBulletin.com has since returned online, seemingly not much the worse for wear, to claim the attack, though “sophisticated”, had been limited to the potential exposure of “customer IDs and encrypted passwords”.
Even though this might be enough in itself to actually hack into accounts vBulletin.com has applied a precautionary reset, as a statement (extract below) by a vBulletin support manager explains.
We take your security and privacy very seriously. Very recently, our security team discovered a sophisticated attack on our network.
Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.
We have taken the precaution of resetting your account password.
We apologize for any inconvenience this has caused but felt that it was necessary to help protect your account.
A hacker using the handle “Coldzer0” claimed responsibility for the assault before dumping what purports to be user data. The dump was pulled offline by Tuesday afternoon. However screenshots of dumped data suggest names, email addresses, security questions and answers, and password salts were all exposed.
El Reg has requested clarification of what exactly was exposed and how the attack was carried out from vBulletin.com US West Coast PR team. We'll update this story as and when we hear more.
Coldzer0 claimed he hacked Foxit Software’s forum using the same exploit he used against the vBulletin.com forum software site itself, according to databreaches.net, a site that has set itself the ever expanding task of chronicling data breaches.
El Reg is yet to see anything solid to substantiate this point and using a zero-day to pull off a defacement seems rather a waste, given the lucrative black market for exploits, not to say something close to overkill.
It seems the hacker involved, or someone he’s very cleverly setting up for a fall, may have bragged about his exploits on YouTube and a personal Facebook page before the content was pulled (but after screenshots were taken, so too late).
A purported vBulletin 5.x.x remote code execution 0day exploit was offered for sale on Monday, seemingly by the same hacker that pwned vBulletin.com.
sql injection vulnerability, you can upload shell and remote execute Today I am hacked vbulletin.com, You can buy 0day today ;) http://www.vbulletin.com/forum/content.php/813-Recovering-a-hacked-vBulletin-Site
The whole sequence of an events is odd. A breach against the vBulletin.com forum software site took place but how it was effected remains far from clear, aside from the implication that long-term web security nemesis of SQL Injection played a central role in the security flap.
“Looks like it started as an SQLi and then they used shell access to deface the site,” said Reg reader Dillon L, the person who gave us the heads up about the breach.
Sites running vBulletin forum software getting hacked is, sadly, a not infrequent occurrence. The home base getting turned over is a bigger deal and the unproven suggestion that an unpatched bug in vBulletin might be involved only adds to the unease. ®