Categories: SecurityWorkspace

vBulletin Forum Passwords Taken, Thousands Of Sites May be Affected

The vBulletin forums software has been breached, with hackers stealing customers’ password data. The breach – the latest in a series relating to vBulletin – could affect thousands of sites which use the popular bulletin board platform.

vBulletin staff have reset all passwords on its own user forum following evidence of the breach, but the software was in use at many other Internet sites, including MacRumors, where an attacker stole around 860,000 passwords last week, and Ubuntu Forums where an attack in July exposed 1.8 million user accounts. There are now fears that other vBulletin-based forums may also be exposed to danger.

Did you get the vBulletin memo?

One hacker group, Inj3ct0r, claimed on its Facebook page to have been behind both the MacRumours and vBulletin hack. The  group’s statement claims: “We found a critical vulnerability in vBulletin all versions 4.x.x and 5.х.x.

The group then offers a link to its site, where users are invited to pay for a patch, and justifies its actions, saying somewhat nonsensically: “We wanted to prove that nothing in this world is not safe”.

vBulletin, which is owned by Internet Brands, has not spoken about the wider danger, but has moved to secure its own bulletin board.

“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” it told users in a post on the vBulletin forum. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologise for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Security experts have been critical of vBulletin for some time. Brian Krebs in August warned that thousands of vBulletin sites had been hacked because their owners missed a crucial memo from the software maker, detailing a vulnerability that users could leave open if they did not delete the “install” directory.

In 2011, game compny Valve Software’s  forums were breached because the company had not upgraded to the latest version of vBulletin.

Are you a security expert? Try our quiz!

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago