Ubuntu forums hacked; 1.82M logins, email addresses stolen

Ubuntu forums hacked; 1.82M logins, email addresses stolen

Summary: Canonical, the company behind the Ubuntu operating system, has suffered a massive data breach on its forums. All usernames, passwords, and email addresses were stolen.

SHARE:
262
ubuntu
Ubuntu Forums suffered defacement by hackers on Saturday; also a significant data breach. (Image: ZDNet)

Ubuntu Forums suffered a massive data breach, the company behind the Linux open-source based operating system said on Saturday.

In an announcement posted on its main forum page, Canonical confirmed there had been a security breach and that the team is working to restore normal operations.

Read this

Mark Shuttleworth: 'Mir has delivered what we hoped'

Mark Shuttleworth: 'Mir has delivered what we hoped'

Canonical founder Mark Shuttleworth says early tests are vindicating the decision to move Ubuntu to the Mir display stack.

The notice said "every user's local username, password and email address" from their database was stolen. The company confirmed that though the passwords are not stored in plain text, users who share passwords across sites are encouraged to change them.

"Ubuntu One, Launchpad and other Ubuntu/Canonical services are not affected by the breach," the open-source company stated.

An estimated 1.82 million users are subscribed to the forums, with more than 1.96 million threads, according to the last crawl by the Internet Archive in mid-June.

The forum itself is understood to be using vBulletin, a popular Web-based forum software.

The site was defaced by hackers during Saturday afternoon, according to social media reports. The main page was altered to include an image sporting a Twitter handle "Sputn1k_" which directs to an account with just five tweets and double-digit followers. The account did not follow any other user at the time of writing.

The image also pointed out a "shoutout" to Twitter user @rootinabox, who appears to be based in the Netherlands. But the link pointed to a website that does not appears to be associated with the account holder.

The social media community appeared generally critical of the move.

"You must feel proud defacing a site by volunteers. They dedicate time and effort to make a free distro. Worst kind of 'hacker'," said one user directed towards the alleged hacker's Twitter account. 

Others who tweeted the attacker during the past few hours simply asked what the music was that he injected into the hacked page when it loaded.

Topics: Security, Open Source, Ubuntu

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

262 comments
Log in or register to join the discussion
  • Ubuntu forums hacked; 1.82M logins, email addresses stolen

    Let me be the firs to say HAHAHAHAHHAHAHAHA!!!

    If Canonical can't secure their own OS then there would be absolutely no reason for anyone else to use it. I bet they spent too much time compiling the forums and configuring the OS to notice they left a huge gaping hole in it. I'm willing to go as far as saying the hackers took control through linux's open telnet port. Another black eye for linux. I often wonder if there is anything that linux can do right. My guess is no.

    Glad you posted the article because now I have another reason to not use linux. In fact I'm going to email this article to a few people warning them of the dangers they will risk if they try linux just to strengthen my point.

    Oh did I say HAHAHAHAHAHHAAHAHA yet? I can't stop laughing at this news.
    Loverock-Davidson
    • HAHAHAHAHAHAHA

      seems like you have a massive amount of knowledge on computer security. wish you were my bro :(
      kilafairy
      • kilafairy Isn't vBulletin comprised of proprietary software ?

        so a piece of proprietary software used by vBulletin was compromised and not actually a piece of Linux software was the culprit in this matter.

        What I'm surprised at is why Ubuntu would use vBulletin even if its widely used just because its using proprietary software they have no way of overseeing it for security.

        I dough Fedora, Mint or Suse would allow themselves to be embarrassed as Ubuntu is by this publicity.

        The only positive point is is that its not as bad as loosing $900,000,000 loss by Microsoft on Surface RT this week.
        Over and Out
        • That is interesting. To deflect the security breach at Canonical

          you post an unrelated reference about Microsoft. It looks to be an act of desperation on your part.

          You do understand that the one time write off will effect Microsoft for that one quarter, as the 6 billion dollar eQuantive write off was, while this security breach may have larger implications?
          John Zern
          • John Zern curious do you say the same thing about a Microsoft security

            breach that "it may also have larger implications" since they seem to have so many of them? as Microsoft regular Tuesday patch would indicate to me.

            John No desperation on my part as I'm not stuck in the windows world as you appear to be.

            I wasn't defecting the security breach. If you had bothered to notice, I did say, I didn't think Fedora,Mint or Suse would'n be allowing that to happen to them.

            Maybe in the future you should avoid speed reading before posting.
            Over and Out
          • Oh the ignorance

            > curious do you say the same thing about a Microsoft security breach
            > that "it may also have larger implications" since they seem to have
            > so many of them? as Microsoft regular Tuesday patch would indicate to me.

            Here is some news for you to ponder: Vulnerabilities being patched does not equate systems being compromised.

            Linux and OS X are also patched for vulnerabilities. Many, many more vulnerabilities compared to Windows and Microsoft software.

            Got that? If you invoke number of vulnerabilities, Linux and OS X lose. Try to ride the buzz generated by patch tuesdays, but the simple fact is that more vulns are found in Linux and OS X.

            If you compare defaced and rooted servers, Linux ALSO lose. Linux servers running all types of web servers are being compromised as we speak, end nobody has found the exploit path yet. It is that scary. Linuxfoundation.org, kernel.org got ROOTED - and nobody noticed for almost a month. Debian has had their servers rooted. Now Ubuntu.

            How can you trust vendors who cannot even keep their own servers clean?
            honeymonster
          • Really????

            Debian has had their servers rooted. Now Ubuntu.

            So, you are all knowing and know that the server was rooted?

            Did you also predict the 12% drop in MS stock Friday?
            DancesWithTrolls
          • honeymonster...How can you trust vendors who cannot even keep their own

            servers clean? obiviously you were refering to Microsoft since it was originated.

            The securiity holes are there otherwise there wouldn't be a need for PATCHING every Tuesday.
            Over and Out
          • How can you trust vendors who cannot even keep their own servers clean?

            How can we trust someone who calls himself honeymonster? after all your comments are never factual, lets take your claim that Linux has more vulnerabilities, that's a complete lie, Linux distro maintainers patch every piece of software in their repos, microsoft only patches microsoft products, and if you're talking about just kernel patches, the Linux kernel has all the drivers in the Kernel, the windows kernel doesn't, you're comparing apples to oranges.

            But all we have to do is look at the facts, windows has the most malware in the history of OS's, and it's still dead easy to get infected on windows, millions of people got their windows PC's ROOTED by TDL4, windows has to be the most insecure OS in history, microsoft doesn't even patch some known highly critical windows vulnerabilities, so how can you trust a company who doesn't care about security? money is what microsoft cares about.
            guzz46
          • And yet that isn't what this story is about

            This story is about Linux, once again, failing at security.

            If not even Canonical can configure Linux securely, no one else has any chance at all.

            Remember folks, this was LINUX that got hacked, not Windows. Anyone bringing up Windows is trying to deflect the fact that Linux security is very poor.
            toddbottom3
          • This story is about Linux, once again, failing at security.

            No it's not, it's about Ubuntu forums being hacked, not Ubuntu or Linux being hacked, I suggest you read the article next time.
            guzz46
          • Linux, once again, failed at security

            1.82 million people thought they could trust Linux to secure their information.

            1.82 million people were DEAD wrong.
            toddbottom3
          • Correction

            1.82 million people thought they could trust Canonical, to secure their information.
            RickLively
          • the truth is ....

            the truth is that most such hacks is done through the scripts that is present in the server ( e.g Vbulletin in this case) and not by hacking the OS itself .

            this does not mean the linux or windows or any other OS is perfectly secure.
            docesam
          • Yet

            Your crusade against Windows also conveniently ignores the fact that Windows itself isn't the biggest attack vector, it is stuff such as Java and flash that bring most people problems. All of a sudden this reflects badly to Windows, yet a crappy webserver, outdated php stack or the forum software itself does have no bearing on the underlying os. If you want to be taken seriously, you might change your tune a bit, not everyone lacks the ability to see right through your bollocks.
            sjaak327
          • Windows itself isn't the biggest attack vector"

            Is not Internet Explorer an integral part of Windows? And hasn't ActiveX been a MAJOR vector for malware since its introduction? And if Windows isn't the biggest vector, why does it need patching so often? Dotnet, IE, DirectX are always getting security "fixes". I guess they don't count.
            Iman Oldgeek
          • vectors

            It looks you don't know anything about Microsoft bugs. Better you reading something about windows servers problems...

            (Suggestion: search about dns poisoning) just to mention one
            DoctorWhorm
          • Yet

            Your crusade against Windows also conveniently ignores the fact that Windows itself isn't the biggest attack vector, it is stuff such as Java and flash that bring most people problems. All of a sudden this reflects badly to Windows, yet a crappy webserver, outdated php stack or the forum software itself does have no bearing on the underlying os. If you want to be taken seriously, you might change your tune a bit, not everyone lacks the ability to see right through your bollocks.
            sjaak327
          • The internet doesn't run on windows.

            What you're saying isn't wrong but the underlying OS of windows IS inherently insecure also. Windows isn't taken seriously at all in big data. There are no large scale data centers that run clusters of windows server for high availability, high powered computing. They do large business local IT at best.
            Ahnomimush
          • "ignores the fact that Windows itself isn't the biggest attack vecto," ???

            "ignores the fact that Windows itself isn't the biggest attack vecto," ???

            Internet seach these terms; "microsoft windows nsa backdoor" no excuse for this at all. But then...
            NobleHead