Ubuntu Forums Breach Affects Two Million Users

Matthew Broersma,
Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

The breach resulted from an unpatched bug, Canonical admits

Canonical, the developer of Ubuntu Linux, has warned that data concerning two million users of its forums was compromised in a breach.

The incident, occurring amidst a number of large data breaches concerning social media sites such as LinkedIn that have affected hundreds of millions of users, is an embarrassment for the developer, in part because it resulted from the failure to fix a known bug in the site’s forum software.

Unpatched flaw

secure password

Canonical said it was notified of the breach on Jul 14 and temporarily shut down the forums, which run on software called vBulletin using an add-on called Forum Runner, while it investigated.

“There was a known SQL injection vulnerability in the Forum Runner add-on in the forums which had not yet been patched,” Canonical said in an advisory.

The unpatched bug allowed an attacker to inject SQL into the forums database that gave them the ability to read from any of that database’s tables, the company said, adding it believes the attacker only read from the “user” table.

“They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users,” Canonical stated.

Unlike in the case of a similar breach of Canonical’s forums almost exactly three years ago, in July 2013, no active passwords were accessed, because the forums now rely on Ubuntu’s single sign-on system, which generates random strings that are stored as passwords stored in the database’s “user” table, according to the company.

Repeat incident

“The attacker did download these random strings (which were hashed and salted),” Canonical stated. Hashing and salting are forms of encryption.

In the 2013 breach the passwords of 1.8 million users were accessed, and the company advised users to change credentials that had been reused on other websites.

Canonical said it thinks the attacker wasn’t able to access any code repository or update mechanism or any valid user passwords, and believes the incident was confined to reading the forums database.

The company said it has reset its system and database passwords, rebuilt the servers running vBulletin and installed the most recent security fixes, as well as tightening its monitoring of vBulletin to ensure patches are kept up to date and installing a web application firewall.

“We apologise for the breach and ensuing inconvenience,” Canonical stated.

User data breaches pose a growing risk in part because information such as passwords can often be used to stage attacks on other accounts.

The recent breach affecting business social network LinkedIn, for instance, led to further hacks on prominent individuals including Mark Zuckerberg and is believed to have facilitated a wave of attacks using a remote desktop tool called TeamViewer.

Are you a security pro? Try our quiz!