A known SQL injection vulnerability affecting vBulletin software was exploited by an attacker to breach the Ubuntu Forums database. The attacker accessed the user table, containing usernames, email addresses, Internet Protocol addresses, and the hashed and salted strings used for Ubuntu Single Sign On logins of 2 million users.
“The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers," Canonical Ltd. CEO Jane Silber wrote in a company blog post. "This gave them the ability to read from any table but we believe they only ever read from the ‘user' table.”
Canonical, the software vendor that powers the Ubuntu project, has since patched the vBulletin flaw and reset all system and database passwords. The software company also backed up is servers running vBulletin, then wiped clean and rebuilt the servers.
In November, vBulletin reset all user passwords after a breach compromised personally identifiable information of almost 480,000 subscribers.