Party Vibe

Register

Welcome To

vBulletin.com has been hacked and passwords stolen

Forums Life Computers, Gadgets & Technology Forum, Blog & Community Software vBulletin.com has been hacked and passwords stolen

  • This topic is empty.
Viewing 15 replies - 1 through 15 (of 26 total)
  • Author
    Replies
  • It seems the hackers got access to a secondary Q&A server potentially through a hack of older code. The hack appears to have taken place as long ago as a month or more with the system in question running a recent export of their production database. However customer support and billing systems were unaffected according to Internet Brands.

    All user passwords have now been set to change on vBulletin.com and vBulletin.org as a precaution. Although vBulletin stores password information in encrypted format it’s unclear whether these have or will be compromised however it’s not impossible and will depend on the level and type of encryption used of course. An email has also been sent out to all customers…

    This hack is a big deal given the popularity of the company’s software and the number of websites using it. vBulletin has suffered issues in recent years since the acquisition of it’s original owner Jelsoft Enterprises ltd by Internet Brands in 2007. After a lenghty court case against former members of their core development team who set up a rival company and forum software called Xenforo. Pricing and support model changes over the last few years which have proved unpopular with their install base. A significant vulnerability in several versions of vBulletin exposed not long ago affecting many thousands of websites. Up take of the latest version of their software (vBuleltin 5.x) having been somewhat poor with the development process beset by delays and bugs. And this latest seemingly deliberate although exaggerated attempt to harm their reputation through this attack by spreading fear, uncertainty and doubt.

    The perpetrators claim of having uncovered a flaw in all versions of vBulletin seems unlikely and remains unproven at this time but information is still sparse. krebsonsecurity.com have addressed vBulletin an open letter to informing them of the situation which was orginally revealed on Facebook and asked for a public statement.

    Several vBulletin staffers have stated publicly that yesterday’s brief down time on vBulletin.com and vBulletin.org was maintenance related and had nothing to do with the hacking of their QA server…

    Note:

    This post was updated as new information about this hack became available.



    The email from internet brands warning of the problem…

    This is an important message about your account.We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password.

    Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.To regain access to your account:

    Visit the vBulletin forums at*User Settings – vBulletin Community Forum in your existing password followed by your new password, twice for confirmation.

    Save this page at the bottom.

    Please choose a new password and do not use the same password you used with us previously.

    We also highly recommend that you chose a password that you are not using on any other sites.

    If you have any additional questions or concerns, please feel free to contact our support team at*vBulletin 5 Connect, The World’s Leading Community Software Luke,*vBulletin Lead Technical Support.

    Helping You Build Better Communities

    Some unofficial details from a staffer…

    1. I stated (correctly) that the server they hacked was an old QA stage server.

    2. The server was not hacked yesterday, the screenshots date it at sometime in October (more than likely they did it even earlier, just took later shots).

    3. vb.org & vb.com were last down (12th/13th depending on your timezone) because of scheduled work on the database server.

    You are free to discuss this situation on vBulletin.org, you are not free to make up stuff.

    Some contradictory information on the subject of whether the two hacks really used the same means…

    Originally Posted by informationweek.com
    In the case of MacRumors, however, lol said that the vBulletin software wasn’t to blame for the breach, saying instead that “the fault lied within a single moderator.” That suggests that a MacRumors moderator chose an insecure password, which lol either guessed, or matched using a dictionary attack, which attempts to guess passwords by using an exhaustive list of likely matches.

    What hasn’t been disclosed is whether the hackers had access to customer records and financial information, also the support system in particular which must contain a large amount of sensitive customer information…

    Updated above, this now appears not to be the case.


      Staff

      What do all this mean for Party Vibe Radio and PartyVibe?

      It’s a bit like reading Russian to me.

      *You're my favorite place to go to when my mind searches for peace *

      The owners of vBulletin need to release more information about exactly what happened, all we know right now is that passwords were stolen. The hackers are claiming to have found a weakness in all versions of vBulletin which isn’t impossible but unlikely. It also appears the hackers lied about the macrumours.com hack, so there’s a good chance their statement is about spreading fear, uncertainty and doubt, and this isn’t a new flaw in vBulletin…

      @Angel 558438 wrote:

      What do all this mean for Party Vibe Radio and PartyVibe?

      It’s a bit like reading Russian to me.

      Thats what I was gonna say, because I don’t understand any of it. Pv uses VBulletin does it not?

      We’ve been using vBulletin’s software for more than a decade. And these hackers are claiming to have found a new weakness in all versions of this software but there’s no evidence of this being true yet. So we appear to be safe for now…

      @Gylfi Sigurðsson 558440 wrote:

      Thats what I was gonna say, because I don’t understand any of it. Pv uses VBulletin does it not?

      *wipes sweat from brow*

      Unofficial statements have surfaced from Internet Brands suggesting the screenshots are fake and only one table of a database was targetted. I’ve updated the first post in this thread with an unofficial statement from a vBulletin staffer in reply to questions I put to them…

      I was told unofficially by a vBulletin staffer that no customer records other than passwords were accessed. I’ve added the information to the first post in this thread as an update.

      @Dr Bunsen 558437 wrote:

      What hasn’t been disclosed is whether the hackers had access to customer records and financial information, also the support system in particular which must contain a large amount of fairly sensitive customer information…

      On the subject of the macrumors.com hack:

      Quote:
      The MacRumors intrusion involved “a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials,” Kim said. MacRumors is still investigating how the attacker managed to compromise the privileged account.

      “We’re not sure how the original moderator’s password was obtained, but it seems like they just logged in with it,” Kim wrote in an e-mail to Ars. “We are looking into it further to see if there was another exploit, but there hasn’t been any evidence of it yet.” Kim also told Ars that log files examined so far seem to indicate that the intruder “tried to access” the password database. At this early stage, there are no indications that the passwords, either in cryptographically hashed or cracked format, are circulating online. There’s also no sign that the hackers were able to access any other data than that belonging to the use forums.

      Kim went on to compare the hack to one that hit Ubuntu forums in July. The Ubuntu breach exposed cryptographically hashed password data for an estimated 1.82 million users to hackers who went on to deface the site’s home page. Like the Ubuntu forums, MacRumors used the MD5 algorithm, along with a per-user cryptographic salt, to convert plaintext passwords into a one-way hash.

      Hmmm…hope this is get sorted soon, I want to really know whats head and tails in this whole story…

      An interview with the claimed authors of the hack on macrumours.com and vBulletin.com by Arstechnica…

      The group that hacked MacRumors Forums and made off with password data for more than 860,000 users has no plans to use it to mass compromise the accounts of people who use the same login credentials on other sites.

      The pledge was made in this post by a user who supplied confidential password details that weren’t publicly available. Among other things, that information included partial cryptographic hash corresponding to the password of MacRumors Editorial Director Arnold Kim, as well as the cryptographic salt used to increase the time required to crack it. Kim told Ars that those and other confidential details included in the post were “legit.” The user went on to defend the hack as a benign undertaking designed to sharpen the skills of both the hacker and the MacRumors administrators.

      “We’re not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason),” the user known simply as Lol wrote. “We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”

      He continued: “Consider the ‘malicious’ attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.”

      In subsequent posts here and here, Lol expanded on the thinking behind the hack. “Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé.” The MacRumors breach, Lol added, was taken on “to test myself. I never defaced the site, I never bragged about it anywhere, I just got in and got out.”

      Lol went on to counter speculation that the hack was the result of exploiting one or more vulnerabilities in VBulletin, the open-source fee-based software that powered the MacRumors forums.

      “The fault lied [sic] within a single moderator,” the post stated. “All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about.”

      Lol confirmed that the MacRumors password hashes totaled 860,106. Interestingly, more than half of them contained a cryptographic salt that had a length of just three “bits,” although I’m guessing Lol really meant “bytes,” which would mean each one contained just three characters.

      Salts are pseudo-random strings that are appended to the plain text of passwords before they are run through a one-way hash function. Salting is designed to increase the time it takes to crack large numbers of hashes by requiring the attacker to make guesses against each hash individually instead of all at once. (Salting also prevents cracking through the use of rainbow tables, although in the age of video cards and efficient dictionary attacks made possible by Hashcat and other free cracking programs, few people use that method anymore.) To be truly effective, salts must be unique for every hash, something that generally isn’t possible with a three-byte salt.

      “Anyone that’d been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work [to] do, it’s like to have many with a 3 bit salt),” Lol wrote. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts and get results.”

      While the confidential details included in the post proves the writer has insider knowledge into the hack, readers are advised to maintain a healthy skepticism of all remaining claims. For instance, counter to Lol’s claims, there’s no way right now to be sure the hack wasn’t executed by exploiting a VBulletin vulnerability. And of course, MacRumors account holders shouldn’t take the word of an admitted trespasser that their accounts on other sites won’t be accessed.

    0

    Voices

    25

    Replies

    Tags

    This topic has no tags

    Viewing 15 replies - 1 through 15 (of 26 total)
    • You must be logged in to reply to this topic.

    Forums Life Computers, Gadgets & Technology Forum, Blog & Community Software vBulletin.com has been hacked and passwords stolen