All passwords have been reset for users of vBulletin software, used for website forums, following a breach that compromised the personally identifiable information of nearly 480,000 subscribers, according to ars technica.
While the developer released a security patch on Monday night, hours after the incursion was detected, ars technica suggested that from available evidence the site “contained a zero-day vulnerability that allowed hackers in the wild to gain almost complete control over websites that used the forum app.”
However, Wayne Luke, technical support lead at vBulletin, denied a zero-day was responsible. “These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications,” he said in a statement issued on Monday.
Tod Beardsley, principal security research manager at Rapid7, said in a statement issued on Wednesday, that it looks like the attack on vBulletin was due to a SQL injection bug in its forum software.
Beardsley advised organizations that rely on vBulletin to apply the security patch immediately. “vBulletin is a popular target, since compromising a forum site can provide an effective platform for a watering hole attack. An unpatched bug in the platform can expose downstream users to serious risk,” the security researcher explained.