A security breach at Ubuntu Forums exposed the information of as many as two million users.
Jane Silber, CEO of Canonical, which is the company that produces the Debian-based Linux operating system Ubuntu, published a statement about the hack on Friday:
“At 20:33 UTC on 14th July 2016, Canonical’s IS team were notified by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the Forums database. After some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.”
The attacker then went on to download portions of the Forums database “user” table, which included the email addresses, usernames, and IP addresses for two million users.
The table also stored users’ salted and hashed passwords. As of this writing, it is unclear what hashing algorithm Canonical used for members’ passwords.
Canonical’s information security term has determined the attacker was unable to gain access to any Ubuntu code repository, update mechanism, or valid user passwords. Silber also believes the attacker did not access any additional services or servers.
This is not the first time someone compromised Ubuntu Forum users’ information. Back in 2013, an attacker leveraged a cross-site scripting (XSS) vulnerability to download 1.82 million usernames, email addresses, and salted and hashed passwords. The attacker also defaced the Forums.
In response to this latest breach, Canonical has wiped and restored the servers running vBulletin, brought vBulletin up to the latest patch level, and reset all system and database passwords.
Users don’t have to do anything at this time, but it wouldn’t hurt for them to change their passwords and to enable two-step verification (2SV) on their accounts.
News of this hack follows approximately two months after hackers breached a popular underground forum used by cybercriminals to trade and purchase leaked data, stolen credentials, and software vulnerabilities.