User data stolen from ‘human hacking’ forum Social Engineered, published on rival site

A vulnerability in MyBB has been blamed.
Written by Charlie Osborne, Contributing Writer

A forum dedicated to the art of social engineering, Social Engineered, has been compromised and its users' data leaked on a rival website.

The data breach occurred on June 13, 2019. The details of the forum users, including 89,000 unique email addresses linked to 55,000 forum account holders, usernames, IP addresses, and passwords stored as salted MD5 hashes were published and leaked online.

In addition, private messages sent by users were also included in the data dump, according to Have I Been Pwned. The information has been added to the data leak search engine.

CNET: US hits Iran with crippling cyberattacks, says a report

In a blog post penned on Thursday by the owner of Social Engineered, nicknamed Snow101, a vulnerability in MyBB is to blame for the leak.

MyBB is open-source, free software for creating and maintaining forums. The vulnerability in question may be a recently-disclosed critical stored XSS bug in MyBB's private messaging and post modules which, if exploited, permits attackers to gain full access to a target account.

TechRepublic: How to view your privacy settings for Microsoft Office 365

If a malicious message containing JavaScript code is sent to an administrator or published on a MyBB forum, this can lead to the full remote takeover of a board.  

The vulnerability was patched in MyBB version 1.8.21, released on June 10.

Social Engineered has now moved over to the XenForo platform in an attempt to prevent a repeat of the data breach. The forum owner has asked members to voluntarily donate towards the shift from a free, open-source project to a commercial forum.

See also: Data breach forces medical debt collector AMCA to file for bankruptcy protection

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards