VBulletin, the software used to run many internet forums and message boards, has had its network attacked by hackers, who managed to steal the user IDs of customers and encrypted passwords.
VBulletin broke the bad news in an announcement on its site, advising users that it was resetting passwords.
This is an important message about your account.
We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.
It’s good that VBulletin is advising users to urgently change their passwords on any other website where they might be using the same login credentials. (As I’ve said many times, it’s never wise to use the same password in multiple places, because of the hacking risk).
But wouldn’t it have been more reassuring if VBulletin had shared information on the nature of the encryption they used, and whether the passwords were salted and hashed in a way which make it harder for hackers to crack them?
Last week, the MacRumors website (which runs on VBulletin) was similar hacked, exposing the details of more than 860,000 users. In that case, the exposed passwords were salted and hashed, but using vBulletin’s standard MD5 algorithm which provides what is generally considered inadequate security.
It appears that the attacks against MacRumors and VBulletin’s own site are linked.
Softpedia reports that a hacking group called Inj3ct0r Team has claimed responsibility for the attack, and has put the shell upload/remote code execution exploit it used against VBulletin up for sale online.
If you’re running an online forum using VBulletin, you might well feel the safest option is to show an “abundance of caution” and shut down your message boards until this unholy mess is sorted out.
That’s certainly what the organisers of DEF CON have decided to do. Anyone visiting DEF CON’s forums right now will see a “super-shark-fin sad cat” (the site’s equivalent to Twitter’s fail whale).
VBulletin needs to act fast if it is going to have any chance to restore users’ confidence in the security of its forum software.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.