Once again hackers have targeted vBulletin users, this time leaking information from 819,977 user accounts.
A hacker by the handle “CrimeAgency” boasted on Twitter that he hacked 126 vBulletin forums to steal the credentials of hundreds of thousands of users and forum administrator information including email addresses, hashed passwords, and 1681 unique IP addresses.
Based on domains researchers spotted 219,324 Gmail accounts, 11,070 Outlook accounts, 108,777 Yahoo accounts and 121,507 accounts Hotmail among the compromised data. The leaked information was reportedly scanned by online data mining and breach notification platform Hacked-DB, according to HackRead.
The breach happened between January and February 2017 and most of the compromised forums were based vBulletin 4.x which was patched in June 2016 and could be exploited using multiple security vulnerabilities including SQL injection attacks.
“When you consider just how many people make the mistake of reusing the same passwords for multiple sites, you begin to realise just how worrying it is that the data apparently include credentials associated with 219,324 Gmail accounts, 108,777 Yahoo accounts, and 121,507 Hotmail accounts,” independent researcher Graham Cluley said in a Feb. 28 Bitdefender blog post.
“You may not particularly care that the forum account you set up to discuss your escapades in the Call of Duty videogame has been compromised, but you surely will if that information leads to – say – your Gmail account being hacked by online criminals,” he wrote
Cluley went on to say that many vBulletin forums have been abandoned and disregarded by their admins who fail to keep on top of all-important security patches and updates. Unfortunately automatic updates aren't an option as many of them could essentially make the site more vulnerable.
“It would expose a backdoor into customer sites that, if exploited, would give the attacker a single point to compromise every website, Prevoty Software Security Senior Engineer Joe Rozner told SC Media. “Additionally, customer environments may vary and an automated update could break their apps.”
This isn't the first time hackers have targeted vBulletin platforms for user credentials. The platform was exploited in 2015 to steal credentials from an Epic Games forums.
In July 2016, threat actors stole 1.6 million accounts from the Clash of Kings forum which also used an older version of vBulletin and in August 2016, threat actors targeted 11 sites, many of which from Russia, and used the credentials to compromise 27 million more accounts.
vBulletin claims that its software powers some of the largest social sites on the web including NASA, NFL teams and several gaming sites.
SC Media attempted to reach vBulletin for comment but has yet to receive a response.