Risk Assessments/Management, Data Security, Breach, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

User data compromised in breach of vBulletin

All passwords have been reset for users of vBulletin software, used for website forums, following a breach that compromised the personally identifiable information of nearly 480,000 subscribers, according to ars technica.

While the developer released a security patch on Monday night, hours after the incursion was detected, ars technica suggested that from available evidence the site "contained a zero-day vulnerability that allowed hackers in the wild to gain almost complete control over websites that used the forum app."

However, Wayne Luke, technical support lead at vBulletin, denied a zero-day was responsible. "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications," he said in a statement issued on Monday.

Tod Beardsley, principal security research manager at Rapid7, said in a statement issued on Wednesday, that it looks like the attack on vBulletin was due to a SQL injection bug in its forum software.

Beardsley advised organizations that rely on vBulletin to apply the security patch immediately. "vBulletin is a popular target, since compromising a forum site can provide an effective platform for a watering hole attack. An unpatched bug in the platform can expose downstream users to serious risk," the security researcher explained.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.