Ubuntu Forums security breach

Canonical announced today that it detected a security breach on the Ubuntu Forums site. The company has since then taken corrective actions and restored the forums service.

According to the company, it became aware of the breach on July 14, 2016 after a member of the Ubuntu Forums Council informed the company that someone claimed to have a copy of the Forums database.

Canonical confirmed the breach shortly thereafter and discovered that the attacked used a SQL injection vulnerability to gain access to the Forums database.

It believes that the attacker managed to dump a portion of the users table of the forum. This table contains usernames, email addresses and IP addresses for the two million users of the forum.

Passwords were not accessed, but encrypted Ubuntu Single Sign On for logins were. The attacker did download these strings which were hashed and salted according to Canonical.

The attacker did not manage to gain access to Ubuntu code, repository, or update mechanisms. Also, the attacker did not gain access to valid user passwords as they were not stored using that database.

There has been a security breach on the Ubuntu Forums site. We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation. Corrective action has been taken, and full service of the Forums has been restored. In the interest of transparency, we’d like to share the details of the breach and what steps have been taken. We apologise for the breach and ensuing inconvenience.

Canonical performed cleanup and hardening operations. First, it backed up the servers running the vBbulletin software, then wiped them clean and rebuilt them from the ground up. It updated the forum software to the latest patch level, and reset all system and database passwords.

Also, it installed ModSecurity on the server which protects the server from certain kinds of attacks, and improved its monitoring of vBulletin to "ensure that security patches are applied promptly".

This reads as if the vBulletin forum software was not fully patched even though it could have been, and that this resulted in the successful attack against the forum software.

Good news is that passwords were not stolen. Affected forum members need to be aware that the attacker, or someone buying the database dump, could still use the information for attacks.

Possible scenarios include phishing emails, social engineering, and brute force attacks against popular services on the Internet using the email address in question.

Now You: What would you do if you'd be affected by the hack?