Ubuntu Forums hacked again, 2 million users exposed

Canonical’s Ubuntu Forums have been hacked, and the attacker has managed to access and download part of the Forums database, containing usernames, email addresses and IPs for 2 million users.

“No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted),” Canonical CEO Jane Silber explained on Friday.

The company discovered the compromise after being notified that someone was claiming to have a copy of the Forums database.

They immediately shut down the Forums and began investigating how the breach happened.

As could have been expected, the attacker took advantage of an SQL injection vulnerability. In this case, it was a known vulnerability in the Forum Runner add-on in the Forums that the admins didn’t manage to patch in time.

Silber says that the problem has been solved by rebuilding the servers running vBulletin for the Forums, bringing vBulletin up to the latest patch level, and by resetting all system and database passwords. They have also installed a web application firewall, and promised to become better at implementing security patches.

She also noted that no other assets were compromised, including the Ubuntu code repository, the Forums front end servers, and any other Canonical or Ubuntu services.

This is not the first time that the Ubuntu Forums were hacked. Exactly three years ago an attacker made off with the table containing usernames, email addresses, and salted and hashed passwords for all the Forum users (1.82 million at the time), and defaced the Forums.

That attacker leveraged a compromised moderator account and an XSS vulnerability to gain administrator access to the Forums.

After that hack, Canonical implemented a slew of changes, including the implementation of Ubuntu Single Sign On for user authentication.