VBulletin hacked. DEF CON closes its forums after security scare

Graham Cluley
Graham Cluley
@[email protected]

VBulletin, the software used to run many internet forums and message boards, has had its network attacked by hackers, who managed to steal the user IDs of customers and encrypted passwords.

VBulletin broke the bad news in an announcement on its site, advising users that it was resetting passwords.

VBulletin announcement

This is an important message about your account.

Sign up to our free newsletter.
Security news, advice, and tips.

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

It’s good that VBulletin is advising users to urgently change their passwords on any other website where they might be using the same login credentials. (As I’ve said many times, it’s never wise to use the same password in multiple places, because of the hacking risk).

But wouldn’t it have been more reassuring if VBulletin had shared information on the nature of the encryption they used, and whether the passwords were salted and hashed in a way which make it harder for hackers to crack them?

VBulletinLast week, the MacRumors website (which runs on VBulletin) was similar hacked, exposing the details of more than 860,000 users. In that case, the exposed passwords were salted and hashed, but using vBulletin’s standard MD5 algorithm which provides what is generally considered inadequate security.

It appears that the attacks against MacRumors and VBulletin’s own site are linked.

Softpedia reports that a hacking group called Inj3ct0r Team has claimed responsibility for the attack, and has put the shell upload/remote code execution exploit it used against VBulletin up for sale online.

If you’re running an online forum using VBulletin, you might well feel the safest option is to show an “abundance of caution” and shut down your message boards until this unholy mess is sorted out.

That’s certainly what the organisers of DEF CON have decided to do. Anyone visiting DEF CON’s forums right now will see a “super-shark-fin sad cat” (the site’s equivalent to Twitter’s fail whale).

Defcon closes its forums

VBulletin needs to act fast if it is going to have any chance to restore users’ confidence in the security of its forum software.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.