vBulletin (vB) is an internet forum software widely used by website owners. Lately, there has been a critical vulnerability in the software’s old versions allowing hackers to breach any forum who hasn’t been updated to the latest version.
Recently, a hacker going by the online handle of “CrimeAgency” on Twitter is claiming to have hacked 126 vBulletin (vB) based web forum stealing personal data of forum’s administrators and registered users ending up leaking it on an underground hacking forum. The data was scanned by online data mining and breach notification platform Hacked-DB.
The hack was conducted between January and Febuarary 2017 in which 819,977 user accounts were stolen from the vulnerable forums. The stolen data includes email addresses, hashed passwords, and 1681 unique IP addresses while the email count based on domains is Gmail: 219,324 accounts, Outlook: 11,070 accounts, Yahoo: 108,777 accounts and Hotmail: 121,507 accounts.
An overall majority of the hacked forums are based on vBulletin 4.x which can be exploited by multiple security vulnerabilities including SQL injection attacks. According to vBulletin support forums, the issue was reported in June 2016.
“A security issue was reported to us that affects vBulletin 4. We have released security patches for vBulletin 4.2.2 & 4.2.3 to account for this vulnerability. The issue could potentially allow attackers to perform SQL Injection attacks via the included Forumrunner add-on. It is recommended that all users update as soon as possible. If you’re using a version of vBulletin 4 older than 4.2.2, it is recommended that you upgrade to the latest version as soon as possible.”
The websites using vBulletin can be easily identified using Google Dorks. However, it looks like users are still using the outdated versions of vBulletin, resulting in a large-scale data breach. Last year, several high-profile forums suffered massive data breaches due to the very same security flaw and the fact that all of them were using the outdated version of vBulletin software.
The list of hacked forum is available on Pastebin. Remember, some of the forums mentioned in the list are NSFW.
The forums targeted last year include Clash of Clans’ Developer “Supercell,” Clash of Kings, Pakistan automotive giant PakWheels, Adult website Brazzers, Epic Games, ClixSense, hacking, trading forum w0rm.ws, Exile Mod games, LifeBoat, and Grand Theft Auto (GTA) Fan forum.
If you are using an outdated version of vBulletin it is highly recommended to update your forum to the latest version.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.