Ubuntu Linux developer Canonical has confirmed that a data breach exposed personal information of two million users of its forum.
In a statement, Canonical said that it had received notification that someone was claiming to have accessed its forum database. An investigation confirmed the breach, which Canonical revealed had exposed two million usernames, email addresses and IPs. The forum was shut down as a precaution and all system and database passwords were reset.
The attacker was not able to access any Ubuntu code repository or any valid user passwords, Canonical said. Nor did the attacker gain write access to the forum database or access to any other Canonical or Ubuntu service.
The statement added that the breach was a result of known SQL injection vulnerability in the Forumrunner add-on on the forum, which Canonical had neglected to patch.
“The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table,” the statement added.
The attacker downloaded the portion of the ‘user’ table that contained the passwords stored as random strings which were salted and hashed, although Canonical did not reveal what level of protection was being used.
As well as resetting passwords, Canonical also wiped and rebuilt the servers that were running the vBulletin software and patched it to the most recent release. It has also added a web application firewall to beef up its defenses.
“We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation,” the statement added. “Corrective action has been taken, and full service of the Forums has been restored. We apologise for the breach and ensuing inconvenience.”
This is the second major breach of a vBulletin forum in recent weeks. In June this year, Canadian media company VerticalScope said its forums had been breached, exposing email addresses, usernames, IP addresses and passwords belonging to 45 million users spread across 1100 different forums.
Photo © wk1003mike