This Week In Breaches: Ubuntu Forums
On July 14, a member of the Ubuntu Forums Council reached out to the Canonical team to inform them that someone had claimed to have a copy of their Forum’s database.
The next day Ubuntu released a security notice confirming that their database had been breached. The usernames, IPs and email addresses of 2 million users have been stolen, and the hackers are selling a copy of the forum’s database.
In their investigation, it was determined that the attacker gained access to user records through an unpatched SQL vulnerability. An exploited SQL injection flaw that was located in an add-on to the Forum for vBulletin – web forum software that powers over 100,000 community websites on the internet – allowed the attacker to “download portions of the user table”.
vBulletin’s client roster also boosts EA Sports, Sony, NASA and the Denver Broncos.
Hopefully these sites were running the latest patch level.
While we know that the attackers have gained certain information. Canonical is certain that the attackers did not gain access to user passwords, as the Forums reply on Ubuntu Single Sign On (SSO) for logins. They did not download any of the random strings – that according to Canonical were hashed and salted. Canonical also believes that the attackers were not able to gain the following:
- Not able to gain access to any Ubuntu code repository or update mechanism.
- Not able to gain access to valid user passwords.
- Not able to escalate past remote SQL read access to the Forums database on the Forums database servers.
- Not able to gain shell access on any of the Forums app or database servers.
- Not able to gain access to all the Forums front end servers.
- Not able to gain access to any other Canonical or Ubuntu services.
In response to this hack, Canonical temporarily took the website down, then backed their servers up running vBulletin, wiped them clean and rebuilt them from the ground up. They then brought vBulletin up to the latest patch level and reset all system and database passwords. While the attackers did not gain access to the passwords, users should still be wary of potential spam and phishing emails that may attempt to distribute malware.
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.