Ubuntu Forums hack exposes 2 million users

An unnamed hacker took usernames, email addresses, and salted and hashed passwords.

ubuntu
(Image: file photo)

The company that builds Ubuntu, a popular Linux distribution, has said its forums were hacked Thursday.

Canonical, which develops the operating system, said in a statement on Friday that two million usernames, email addresses, and IP addresses associated with the Ubuntu Forums were taken by an unnamed attacker.

The attacker was able to exploit an SQL injection vulnerability in an add-on used by older vBulletin forum software.

That gave the attacker access to the forum's databases, but the company said that only limited user data was accessed and downloaded.

The statement stressed that no code or repository data was accessed, and the attacker couldn't write data to the database or gain shell access. The attacker also didn't gain access to any other Canonical or Ubuntu service.

Since the breach, the servers were wiped, rebuilt, and hardened, passwords were changed, and the forum software was fully patched.

The statement added that although the forums relied on Ubuntu's single sign-on service, the passwords were hashed and salted, turning them into randomized strings of data. But the statement did not say which hashing algorithm was used -- some algorithms, like MD5, are still in use but are deprecated, as they can be easily cracked.

A spokesperson for the company did not immediately respond to a question about the hashing algorithm. (We'll update if we hear back.)

It can't hurt to change your passwords to be safe, and to enable two-factor authentication.

The popular forum software has long been a target for hackers and attackers as an easy point of access to other systems. Most recently, as many as 45 million accounts from over a thousand car, tech, and sports forums owned by Canadian media giant VerticalScope were hacked after an attacker exploited known flaws in the software.

Some of the installations date back to 2007 and hadn't been updated since.

Data from the Ubuntu Forum breach does not appear to be for sale on the dark web -- at least for now.