vBulletin enforces password reset after website attack


Forum owners and users beware!

The website of popular forum software maker vBulletin has been breached.

Following claims, nay, boasts, of an attack on Sunday evening, the software developer moved quickly to negate the effects of the hack by releasing a series of security patches on Monday, saying:

A security issue has been reported to us that affects the versions of vBulletin listed here: 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8 and 5.1.9 We have released security patches to account for this issue. It is recommended that all users update as soon as possible.

That was in response to a hacker going by the name of “Coldzer0” who bragged about his alleged exploits on various web forums, as well as social media. He also uploaded a Youtube video and posted data on Facebook, both of which have since been deleted.

Additionally, in a post co-authored with @Cyber_War_News, he also claimed to have compromised the forums for Foxit Software, using the exact same vulnerability. He says he obtained information from more than 260,000 of Foxit’s 537,000 user accounts, telling @Cyber_War_News that he thought it strange his hacking attempts were not detected.

All in, Coldzer0, is believed to have made off with personal data belonging to some 479,895 users from the two attacks.

According to databreaches.net, Coldzer0 swiped user ids, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords.

While it is not yet clear how the hack took place, Coldzer0 claims he exploited a zero-day vulnerability affecting vBulletin.com, a possibility lent some credence by a report from the Register which offers up links to a couple of tweets which appear to confirm as much.

In addition to the security patches, vBulletin has also taken the additional step of enforcing a password change upon all of its users, using a post on its own forum to announce the global reset request:

We take your security and privacy very seriously. Very recently, our security team discovered a sophisticated attack on our network. Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.

We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect your account.

If you think that message looks familiar, you’d be spot on – it’s almost a carbon copy of what Paul Ducklin described as “that verbiage trap” when covering a very similar breach at vBulletin in November 2013.

I won’t repeat what Paul wrote here but will add that the phrase “We take your security and privacy very seriously” really does ring quite hollow with customers when uttered immediately after a breach which, at the very least, offers the merest inkling that may not have actually been the case.

The password reset notice also ends in an identical fashion to the message put out in 2013, saying:

Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.

Again, as Paul wrote two years ago, that isn’t bad advice, but it could be better: reusing passwords is a bad idea. Period. Don’t do it. Ever.

Instead, vBulletin should cease “highly recommending” that its users employ a unique password on every site and instead demand it.

Just to make that clearer: if you are administering a site that uses vBulletin software, install the patch now.

Likewise, along with anyone who has ever signed up for the vBulletin or Foxit Software forums, change your password now and make it long, complex and unique, just as we explain in the following video:

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.