Ubuntu user forums hack leaks millions of user details - SQL Injection Vulnerability

in #ubuntu8 years ago


Another day another hack; seems like it is all the rage these last few days; with Steemit browser exploit, Pokemon go DDOS and now Ubuntu forums.

Official announcement at: http://insights.ubuntu.com/?p=51117

Canonical, the parent company of popular Linux distribution Ubuntu, has disclosed that its user web forums have suffered a major data breach.

Over the weekend, Canonical said that it had come across claims that a third party had a copy of the Ubuntu Forums database.

The company was able to verify that a breach had taken place, with a database containing details of two million Ubuntu Forums users being leaked.

No "active passwords" were copied over, although the attacker downloaded the random, hashed and salted strings generated by Ubuntu Single Sign On that is used for Forum logins.

What happened

At 20:33 UTC on 14th July 2016, Canonical’s IS team were notified by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the Forums database.

After some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.

Full details at http://insights.ubuntu.com/?p=51117