Vulnerabilities in older versions of the popular vBulletin Internet forum software are being exploited left and right, and data of millions of forum users is being pilfered every day.
According to Leaked Source, the latest victims are users of some of Mail.ru and Funcom gaming forums, two legal advice forums (at Expertlaw.com and Freeadvice.com, and GamesForum.com and PpcGeeks.com).
Mail.ru forums’ breaches account for over 25 million compromised user records – usernames, email addresses, encrypted passwords, date of birth, etc. The Funcom forums’ breaches affected more than a million users.
“Not a single website used proper password storage, they all used some variation of MD5 with or without unique salts,” the Leaked Source team noted.
This fact allowed them to crack over 15 million passwords from the various forums already. Predictably, a great number of them are short and weak (“123456789”, “qwertyuiop”, “11111111”, and so on).
A Mail.ru spokesperson told Softpedia that he passwords mentioned by LeakedSource are no longer valid, and that they are old passwords to the forums of game projects that Mail.ru Group acquired over the years.
“All Mail.Ru Group’s forums and games have been using a secure integrated authorization system for a long time by now. These passwords have never been related to email accounts and other services of the company in any way,” the spokesperson said.
Funcom also confirmed the breach, saying it happened due to a security fault in the vBulletin forum system.
“This security fault was corrected on our forums on August 19th, 2016, but we are unable to determine exactly when the data breach occurred prior to the fix,” they noted, and added that they forced a password reset for all accounts for all the breached forums (TheSecretWorld.com, AgeofConan.com, Anarchy-Online.com and LongestJourney.com).
They also admitted (too matter-of-factly, if you ask me) that “even though passwords were encrypted, these can be cracked and should be considered compromised.”
As far as I can find, Expertlaw.com has not mentioned any breach, but it can be seen on their forum website that they are running vBulletin 4.2.3. More than likely, they didn’t implement a patch for an SQL injection vulnerability in time (possibly even this one).
The FreeAdvice.com forums are currently being updated (no mention of a breach). GamesForums.com is online, still running on an older vBulletin version (4.2.1).