A forum dedicated to the art of social engineering, Social Engineered, has been compromised and its users' data leaked on a rival website.
The data breach occurred on June 13, 2019. The details of the forum users, including 89,000 unique email addresses linked to 55,000 forum account holders, usernames, IP addresses, and passwords stored as salted MD5 hashes were published and leaked online.
In addition, private messages sent by users were also included in the data dump, according to Have I Been Pwned. The information has been added to the data leak search engine.
In a blog post penned on Thursday by the owner of Social Engineered, nicknamed Snow101, a vulnerability in MyBB is to blame for the leak.
MyBB is open-source, free software for creating and maintaining forums. The vulnerability in question may be a recently-disclosed critical stored XSS bug in MyBB's private messaging and post modules which, if exploited, permits attackers to gain full access to a target account.
The vulnerability was patched in MyBB version 1.8.21, released on June 10.
Social Engineered has now moved over to the XenForo platform in an attempt to prevent a repeat of the data breach. The forum owner has asked members to voluntarily donate towards the shift from a free, open-source project to a commercial forum.
Previous and related coverage
- Oregon State University breach exposed student, family data
- Emuparadise gaming emulator website suffers data breach
- Mermaids transgender charity data breach exposed confidential emails
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0