Kodi forum breach: User data, encrypted passwords grabbed

The developers of Kodi, the widely used open-source media player app, have revealed a data breach of its user forum.

What happened?

The breach did not happen due to a vulnerability. Instead, an unknown attacker used the account of a legitimate but inactive member of the forum admin team to access the MyBB admin console on two occasions: February 16 and 21, 2023.

The attacker was able to create backups of databases, which they then downloaded and deleted. Nightly full-backups of the database were also downloaded.

“The nightly full backups that were downloaded expose all public forum posts, all team forum posts, all messages sent through the user-to-user messaging system, and user data including forum username, email address used for notifications, and an encrypted (hashed and salted) password generated by the MyBB (v1.8.27) software,” Team Kodi further explained.

“At the current time, we have found no evidence of unauthorized access to the underlying server that hosts the MyBB software.”

What should users do?

The Kodi user forum is currently inaccessible.

“Although MyBB stores passwords in an encrypted format we must assume all passwords are compromised,” the team said, and they are keeping the forum offline until they find a way to reset all passwords.

Even though no compromise of the underlying system has been detected, the Kodi team is standing up a new forum server – just to be on the safe side.

The new server will run the latest version of MyBB software. “This requires us to extract and review all differences between the latest MyBB release and the fork we maintain, which includes numerous functional changes and backported security fixes. This is not a simple task and the forum will remain offline until it completes: we estimate several days more work,” the team said.

“As part of the redeployment we will restrict and harden access to the MyBB admin console, revise admin roles to reduce privileges wherever possible, and improve audit logging and backup processes.”

They’ve also notified the UK Information Commissioner’s Office about the breach, and will be sharing the exposed email address data with the haveibeenpwned service, so users can assess if their account has been compromised in this data breach.

Once the server is back online, users will be required to choose new passwords (they should also change the password on any other account where they used the same one as on the Kodi forum). In the meantime, users can peruse a March snapshot of the Wiki and a read-only April copy of the forum.

UPDATE (April 13, 2023, 06:20 a.m. ET):

The Kodi Foundation has submitted the impacted email addresses to HIBP.