Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ubuntu Forums Hacked, 2 Million Users’ Details Stolen


  • Please log in to reply
19 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 22,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 AM

Posted 15 July 2016 - 06:13 PM

The Ubuntu forums have been hacked and the IP address, username, and email address of over two million users have been “stolen”. 

The online forum was the only piece of infrastructure compromised, the company say. No other Ubuntu website, repository or update mechanism is known to have been affected. 

“Known SQL Injection Vulnerability to blame”

Canonical CEO Jane Silber explains: “We were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.”

Article

 



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:07 PM

Posted 15 July 2016 - 06:19 PM

These things happen as anybody who runs a site will tell you, forum software is hard to secure and not hard to hack if you know what you are doing.



#3 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 22,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 AM

Posted 15 July 2016 - 06:30 PM

These things happen as anybody who runs a site will tell you, forum software is hard to secure and not hard to hack if you know what you are doing.

Exactly.That is why it's always a good idea to use a junk or alias email address when registering on a forum. 


Edited by JohnC_21, 15 July 2016 - 06:30 PM.


#4 Viper_Security

Viper_Security

  • Members
  • 816 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:02:07 AM

Posted 15 July 2016 - 06:34 PM

 

These things happen as anybody who runs a site will tell you, forum software is hard to secure and not hard to hack if you know what you are doing.

Exactly.That is why it's always a good idea to use a junk or alias email address when registering on a forum. 

 

i Always doo,i even have one for my Twitter Crawler with maltego :P

 

Even this email is a "throw away" haha


Edited by Viper_Security, 15 July 2016 - 06:34 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#5 66Batmobile

66Batmobile

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Denial
  • Local time:05:07 AM

Posted 15 July 2016 - 07:33 PM

Question: Per the article, what does "hashed and salted" mean?
:scratchhead:


Gen. Barker - You haven't heard the last of this!!

Hawkeye Pierce - I wasn't listening to the first of it...


#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:07 PM

Posted 15 July 2016 - 07:40 PM

 

Hashing is using an cryptographic algorithm to convert data like a password into a fixed length sting of characters called a fingerprint. Salting is a way to randomize hashes by adding a random string (which is called a salt) before a password is hashed, which makes it much more difficult to crack the password hash.



#7 66Batmobile

66Batmobile

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State of Denial
  • Local time:05:07 AM

Posted 15 July 2016 - 08:04 PM

Learn something new every day...

Thanks Nick... :thumbsup2:

Regarding the topic, seems linux is becoming more "popular" all the time... :cold:


Gen. Barker - You haven't heard the last of this!!

Hawkeye Pierce - I wasn't listening to the first of it...


#8 Condobloke

Condobloke

    Outback Aussie @ 54.2101° N, 0.2906° W


  • Members
  • 5,712 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 PM

Posted 15 July 2016 - 08:06 PM

This begs the question.....has BC ever been hacked and had info stolen ?

 

If not....why not...?

 

Are the powers that be at Ubuntu Forums slack, lazy and far to casual about storing users info ?


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

 

 

 

 

 


#9 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:07 AM

Posted 17 July 2016 - 01:55 AM

 

 

Are the powers that be at Ubuntu Forums slack, lazy and far to casual about storing users info ?

 

Well they did have our information encrypted, to be later salted when crying to crack, so that's not 'too' casual. 

 

There's no such thing as a 'bulletproof' site or business. Take the very recent incident in the US Wendy's burger chain, there were over 1,000 stores where customers credit/debit card credentials were stolen, and no it wasn't salted, just as with Target a few years back. 

 

Now the banks will be busy informing customers that their cards aren't active (what an inconvenience :angry:) & they'll be issued new ones, at the total expense of the banks/credit card issuers. Wendy's doesn't have the financial resources to bear the cost, though they may be penalized in some manner for their 'lax' security. 

 

AnandTech (a popular tech forum) was also hacked, and we had to create new passwords as a result of the breach. Here's a site that can tell one if their email account has been hacked, and this is why I keep my forum/general use email separate from that of doing business. 

 

https://breachalarm.com/

 

Look at what it shows when I entered my email. 

 

78Oqbmq.png

 

There's also another site for usernames on forums & social sites, though at the moment can't find it. Here's an overview of the pwned websites (some known, some not) & approximate number of victims. The scary part is, this is likely a fraction of those whom has otherwise been hacked & we don't know it. :angry:

 

https://haveibeenpwned.com/PwnedWebsites

 

One good reason to change passwords regularly. Especially on sites that has one's information, a date of birth, IP & email address can give the criminal a lead to follow. There are legit sites (in the US) that will for a fee, provide this information (reverse search services). These are especially good if considering a babysitter or caretaker for a loved one, or even someone that's met & may have an interest in. Employers routinely has access to one or more of these databases, as they don't want to hire those that doesn't fit their profile. A criminal record in itself doesn't always disqualify the applicant, rather the offence & how long ago it was. Beginning at going 10 to 30 years post release (the longer the better) clean is a good sign that the former inmate (or probation server) has been rehabilitated. 

 

Note also that these search providers has a disclaimer to cover their backside, there may me inaccurate information in the report. Especially a reverse phone lookup, where there's been a dozen or more using the same throwaway cell phone number, and less frequently, landlines. One must consider the reputation of the search provider before signing up, and though they offer unlimited 24 hour passes, most of these are offered as a subscription by recurring payments. I won't mess with this, at best a one time lookup for 99 cents, or full day pass for $1.99, which can be paid with a PayPal account to prevent abuse. Ongoing subscriptions requires a debit/credit card on file, am glad that mine (a government issued card) doesn't permit these type of transactions. Nor at a gas pump. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#10 Al1000

Al1000

  • Global Moderator
  • 7,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:07 AM

Posted 18 July 2016 - 08:41 AM

Look at what it shows when I entered my email.


That's interesting; I got exactly the same with one of my email addresses.

Is this by any chance the email address you used to register with Linux Mint forum? I recall it was hacked earlier this year.

#11 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 22,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 AM

Posted 18 July 2016 - 10:49 AM

I refuse to use a debit card that accesses a checking account. I know when using a credit card the most I am liable for is $50. If you do not notify your bank in a timely manner when using a debit card, you are responsible for the entire loss.



#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:07 AM

Posted 18 July 2016 - 04:10 PM

This begs the question.....has BC ever been hacked and had info stolen ?
 
If not....why not...?
 
Are the powers that be at Ubuntu Forums slack, lazy and far to casual about storing users info ?


We had a vulnerable OpenX ad server back in 2010 that was hacked. It was no longer in use, was not on the product servers and I forgot about it. Never affected anyone.

In 2009, we also had a XSS issue with one of our scripts that allowed them to redirect people to porn sites. I took that script offline the minute I noticed this.

Otherwise, *knock on wood* we have been lucky

#13 Condobloke

Condobloke

    Outback Aussie @ 54.2101° N, 0.2906° W


  • Members
  • 5,712 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 PM

Posted 19 July 2016 - 01:52 AM

""Otherwise, *knock on wood* we have been lucky ""

 

 

I call that good management.  :thumbup2:

 

Brian


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

 

 

 

 

 


#14 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:07 AM

Posted 19 July 2016 - 02:42 AM

I refuse to use a debit card that accesses a checking account. I know when using a credit card the most I am liable for is $50. If you do not notify your bank in a timely manner when using a debit card, you are responsible for the entire loss.

 

Same here, my debit card is a US government issued one, I can't even place cash on it, though can be refunded for prior purchases, and like with a credit card, have some protections that most debit card holders doesn't. That is, as long as I report any breach & agree to assist in prosecution of one who places unauthorized charges, no matter who it happens to be. 

 

Even if I were to have a debit card linked to a checking account, would just keep enough (plus a $50 cushion) to pay bills. Probably wouldn't have a debit card along with checking, that's how many gets ripped off & badly. Unfortunately, way too many folks thinks that just because their checking account funds are FDIC insured, it's a safe haven for their entire savings. Huge mistake, when a debit card is linked to it. The banks push customers to go paperless, as a result, some may not check their accounts as they should, because they feel more secure about it all. How wrong they are in this line of thinking!

 

While I'm certainly not blaming the victims for the actions of criminals, wealth shouldn't be tied to a debit card. This is why prepaid, reloadable cards are good to have & keep only what's needed on one plus a $50 cushion for online spending, when needed, these can be loaded at many places (such as Walmart in the US) 24/7, year round for a sudden purchase. 

 

Taking a look at this, is it any wonder why there's so many successful hacks around the clock. Dim the lights & enjoy the show, it looks like fireworks show at times. Surprisingly, one of the more frequent attackers is the Microsoft Corporation, wonder why they're in in show? :P

 

http://map.norsecorp.com/#/

 

Making my GPU run hard with activity! :P

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#15 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 19 July 2016 - 11:20 PM

There is more strict PCI compliance rules changing that will be in force by August 8th. So this is why you will see more updates and changes in the Certification SSL/TLS area. In addition, many online businesses that accept credit cards will have to change their hosting services to VPS and Bare Metal hosting. Many ran their so called "PCI Compliance" websites over shared hosting networks. Which is a big issue. Shared hosting means many ports are open that should not be open. The hosting companies cannot firewall one specific website in a shared hosting network. The new PCI compliance testing will fail because of that reason. So you will see lots and lots of changes coming soon. I imagine It's going to be costly, disruptive and chaotic.


Edited by technonymous, 19 July 2016 - 11:21 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users