The Ubuntu online forums have been hacked for the second time in a few months and data of more than 2 Million users have been exposed.
According to Ubuntu, the hackers exposed users’ data including usernames, email addresses, and IP addresses. The data breach was caused by the failure in applying a patch to the Ubuntu online forums.
The news was first reported by BetaNews that cited the official announcement from Canonical.
“There has been a security breach on the Ubuntu Forums site. We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation.” announced Jane Silber, Chief Executive Officer at Canonical. “Corrective action has been taken, and full service of the Forums has been restored. In the interest of transparency, we’d like to share the details of the breach and what steps have been taken. We apologize for the breach and ensuing inconvenience.”
Experts from Canonical discovered that hackers exploited a known SQL injection vulnerability in the Forumrunner add-on in Ubuntu online forums.
The administrators of the Ubuntu online forums failed to fix the security vulnerability, despite such kind of issues are easy to patch once detected.
This is really an embarrassing situation!
The attackers injected formatted SQL to the Forums database accessing the entire archive and included data.
The attackers used the above access to download portions of the ‘user’ table containing data belonging more than 2 Million users.
Fortunately, the passwords belonging to the Ubuntu online forums were Hashed and Salted as the Forums rely on Ubuntu Single Sign On for logins.
“We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.
We know the attacker was NOT able to gain access to valid user passwords.
We believe the attacker was NOT able to escalate past remote SQL read access to the Forums database on the Forums database servers.
We believe the attacker was NOT able to gain remote SQL write access to the Forums database.
We believe the attacker was NOT able to gain shell access on any of the Forums app or database servers.
We believe the attacker did NOT gain any access at all to the Forums front end servers.
We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.” added the blog post published by Ubuntu.
The incident raised a heated discussion about Canonical’s responsibility for the very bad patch management that exposed users data.
(Security Affairs – Ubuntu online forums, data breach)