vBulletin.com has been hacked and passwords stolen
- This topic is empty.
November 16, 2013 at 7:16 pm #700427
Hackers claimed yesterday to have hacked the author of the worlds most widely used content management system vBulletin having published what appeared to be screenshots of their file system and databases. The hackers also layed claim to the recent macrumours.com forum hack using the same means in the form of a new and as yet undisclosed vulnerability in vBulletin content management and forum software although this hasn’t been confirmed yet…Quote:Inj3ct0r Team hacked vBulletin.com and Macrumors.com
Inj3ct0r Team hacked the big CMS vendor vBulletin.com
We got shell , database and root server. We wanted to prove that nothing in this world is not safe.
We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x
We’ve got upload shell in vBulletin server, download database and got root.
All those wishing to buy a copy of the vulnerability and patch your forum.
Proof images of their shell + database access at vBulletin.com.
Macrumors.com was based on vBulletin CMS. We use 0day exploit on vBulletin, got password moderator. 860000 hacked too.
The network security is a myth.
The latest unofficial statement from a memberof staff at Internet Brands owners of vBulletin is as follows:Quote:They broke into an old stage server, mainly used by QA for test installs of vB4 & vB5.
Its not known exactly how, but at one point there were in the region of 100 old installs on it, so anyone of them could have been used.
The best guess from evidence is that they hacked it sometime in late summer, and at some point between then and early October they uploaded Adminer.
They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vBulletin.com and vBulletin.org.org user tables.
After that it appears they moved on (they deleted adminer). Nothing was known about this until their facebook post the other day.
The log files that were examined do not show any attemped access of customer data in the support system, they basically targeted the vBulletin user table.
It appears the author’s of the macrumours.com and vBulletin.com hack were the same but the means were different contrary to claims.
Several of the posts in this thread were updated as new information about the hack on vBulletin.com became available. Please read the whole thread for complete details on the events of yesterday.November 16, 2013 at 7:36 pm #972200
It seems the hackers got access to a secondary Q&A server potentially through a hack of older code. The hack appears to have taken place as long ago as a month or more with the system in question running a recent export of their production database. However customer support and billing systems were unaffected according to Internet Brands.
All user passwords have now been set to change on vBulletin.com and vBulletin.org as a precaution. Although vBulletin stores password information in encrypted format it’s unclear whether these have or will be compromised however it’s not impossible and will depend on the level and type of encryption used of course. An email has also been sent out to all customers…
This hack is a big deal given the popularity of the company’s software and the number of websites using it. vBulletin has suffered issues in recent years since the acquisition of it’s original owner Jelsoft Enterprises ltd by Internet Brands in 2007. After a lenghty court case against former members of their core development team who set up a rival company and forum software called Xenforo. Pricing and support model changes over the last few years which have proved unpopular with their install base. A significant vulnerability in several versions of vBulletin exposed not long ago affecting many thousands of websites. Up take of the latest version of their software (vBuleltin 5.x) having been somewhat poor with the development process beset by delays and bugs. And this latest seemingly deliberate although exaggerated attempt to harm their reputation through this attack by spreading fear, uncertainty and doubt.
The perpetrators claim of having uncovered a flaw in all versions of vBulletin seems unlikely and remains unproven at this time but information is still sparse. krebsonsecurity.com have addressed vBulletin an open letter to informing them of the situation which was orginally revealed on Facebook and asked for a public statement.
Several vBulletin staffers have stated publicly that yesterday’s brief down time on vBulletin.com and vBulletin.org was maintenance related and had nothing to do with the hacking of their QA server…
This post was updated as new information about this hack became available.
November 16, 2013 at 7:42 pm #972201
The email from internet brands warning of the problem…
This is an important message about your account.We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password.
Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.To regain access to your account:
Visit the vBulletin forums at*User Settings – vBulletin Community Forum in your existing password followed by your new password, twice for confirmation.
Save this page at the bottom.
Please choose a new password and do not use the same password you used with us previously.
We also highly recommend that you chose a password that you are not using on any other sites.
If you have any additional questions or concerns, please feel free to contact our support team at*vBulletin 5 Connect, The World’s Leading Community Software Luke,*vBulletin Lead Technical Support.
Helping You Build Better CommunitiesNovember 16, 2013 at 7:59 pm #972202
Some unofficial details from a staffer…
1. I stated (correctly) that the server they hacked was an old QA stage server.
2. The server was not hacked yesterday, the screenshots date it at sometime in October (more than likely they did it even earlier, just took later shots).
3. vb.org & vb.com were last down (12th/13th depending on your timezone) because of scheduled work on the database server.
You are free to discuss this situation on vBulletin.org, you are not free to make up stuff.November 16, 2013 at 8:06 pm #972203
Some contradictory information on the subject of whether the two hacks really used the same means…
Originally Posted by informationweek.com
In the case of MacRumors, however, lol said that the vBulletin software wasn’t to blame for the breach, saying instead that “the fault lied within a single moderator.” That suggests that a MacRumors moderator chose an insecure password, which lol either guessed, or matched using a dictionary attack, which attempts to guess passwords by using an exhaustive list of likely matches.November 16, 2013 at 10:19 pm #972204
What hasn’t been disclosed is whether the hackers had access to customer records and financial information, also the support system in particular which must contain a large amount of sensitive customer information…
Updated above, this now appears not to be the case.November 16, 2013 at 10:44 pm #972220AngelModerator
What do all this mean for Party Vibe Radio and PartyVibe?
It’s a bit like reading Russian to me.November 16, 2013 at 10:52 pm #972205
The owners of vBulletin need to release more information about exactly what happened, all we know right now is that passwords were stolen. The hackers are claiming to have found a weakness in all versions of vBulletin which isn’t impossible but unlikely. It also appears the hackers lied about the macrumours.com hack, so there’s a good chance their statement is about spreading fear, uncertainty and doubt, and this isn’t a new flaw in vBulletin…November 16, 2013 at 11:23 pm #972198
@Angel 558438 wrote:
What do all this mean for Party Vibe Radio and PartyVibe?
It’s a bit like reading Russian to me.
Thats what I was gonna say, because I don’t understand any of it. Pv uses VBulletin does it not?November 17, 2013 at 12:51 am #972206
We’ve been using vBulletin’s software for more than a decade. And these hackers are claiming to have found a new weakness in all versions of this software but there’s no evidence of this being true yet. So we appear to be safe for now…
@Gylfi Sigurðsson 558440 wrote:
Thats what I was gonna say, because I don’t understand any of it. Pv uses VBulletin does it not?November 17, 2013 at 1:03 am #972199
*wipes sweat from brow*November 17, 2013 at 1:21 am #972207
Unofficial statements have surfaced from Internet Brands suggesting the screenshots are fake and only one table of a database was targetted. I’ve updated the first post in this thread with an unofficial statement from a vBulletin staffer in reply to questions I put to them…November 17, 2013 at 2:38 am #972208
I was told unofficially by a vBulletin staffer that no customer records other than passwords were accessed. I’ve added the information to the first post in this thread as an update.
@Dr Bunsen 558437 wrote:
What hasn’t been disclosed is whether the hackers had access to customer records and financial information, also the support system in particular which must contain a large amount of fairly sensitive customer information…November 17, 2013 at 2:49 am #972209
On the subject of the macrumors.com hack:Quote:The MacRumors intrusion involved “a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials,” Kim said. MacRumors is still investigating how the attacker managed to compromise the privileged account.
“We’re not sure how the original moderator’s password was obtained, but it seems like they just logged in with it,” Kim wrote in an e-mail to Ars. “We are looking into it further to see if there was another exploit, but there hasn’t been any evidence of it yet.” Kim also told Ars that log files examined so far seem to indicate that the intruder “tried to access” the password database. At this early stage, there are no indications that the passwords, either in cryptographically hashed or cracked format, are circulating online. There’s also no sign that the hackers were able to access any other data than that belonging to the use forums.
Kim went on to compare the hack to one that hit Ubuntu forums in July. The Ubuntu breach exposed cryptographically hashed password data for an estimated 1.82 million users to hackers who went on to deface the site’s home page. Like the Ubuntu forums, MacRumors used the MD5 algorithm, along with a per-user cryptographic salt, to convert plaintext passwords into a one-way hash.November 17, 2013 at 7:35 am #972221
Hmmm…hope this is get sorted soon, I want to really know whats head and tails in this whole story…
- You must be logged in to reply to this topic.