Industry News

Over 800,000 user account details stolen from vulnerable forums running vBulletin

If you’re a member of an online forum, there’s a good chance that the site is running a piece of software called vBulletin.

The relative ease with which it’s possible to get a vBulletin forum up and running in a short period of time, has made it a popular choice and made it, in its own words, “the world’s leading community software.”

But don’t make the mistake of thinking that just because a piece of software has been widely adopted that it’s a safe choice. Things get much more complicated when you realise that many vBulletin forums have been launched and then left to their own devices, disregarded by their admins who fail to keep on top of all-important security patches and updates.

This was brought home to me today when I read that a hacking gang claims to have broken into 126 vBulletin forums, and stolen the details of over 800,000 users and forum administrators.

The hack, which is thought to have taken place in the first two months of this year, saw 819,977 user accounts exposed – with details such as users’ email addresses and hashed passwords stolen.

When you consider just how many people make the mistake of reusing the same passwords for multiple sites, you begin to realise just how worrying it is that the data apparently include credentials associated with 219,324 Gmail accounts, 108,777 Yahoo accounts, and 121,507 Hotmail accounts.

You may not particularly care that the forum account you set up to discuss your escapades in the Call of Duty videogame has been compromised, but you surely will if that information leads to – say – your Gmail account being hacked by online criminals.

There has been a long history of poorly-secured vBulletin forums being “popped” by hackers, eager to suck up the credentials and personal information of users.

For example, last year vBulletin-powered chat forums belonging to Valve’s multiplayer fantasy game Dota 2 suffered a data breach, exposing the private information of 1.9 million accounts. A similar fate befell 1.6 million fans of the popular smartphone game Clash of Kings.

In 2015, users of the Epic Games forum found that their account passwords had been compromised, potentially also giving hackers access to members’ usernames, email addresses and dates of birth. The reason? The Epic Games forum was running an out-of-date and vulnerable version of VBulletin.

Similar security breaches previously impacted 1.8 million users of Ubuntu’s online forums, 860,000 users of the MacRumors forum, and – irony of ironies – vBulletin’s own forum.

Frankly, the list goes on and on…

vBulletin has long been targeted by online criminals who have exploited vulnerabilities in its code to trick it into spewing out information about forum users. Hackers have the tools at their fingertips to quickly identify which online forums are vulnerable to known vulnerabilities.

Unless website administrators wake up to the fact that they can no longer disregard the security of online forums, we will carry on hearing stories like this. If they do not keep software like vBulletin updated with the latest security patches, and put defences in place to reduce the risks of systems being breach and data being leaked, then they are putting customers’ privacy and security at risk.

Meanwhile, us regular users of the internet need to take greater care when we create online accounts – never reusing passwords, and taking care over the personal information we share when we register for an internet forum.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • But there's a difference between the old original vBulletin from Jelsoft Enterprises Ltd. (latest version 3.8.9PL1) and the newer (current) one >=4.0 from InternetBrands Inc. and now vBulletin Solutions Inc.

    Although 3.8.x is very old, it is rock stable and safe.

    All hacked vBulletin boards where running >=4.0.