2M Email Addresses Compromised in UbuntuForums Hack

The breach was disclosed after someone claimed to have a copy of the database behind UbuntuForums.org, a discussion group for users of the popular Linux distribution. 

An investigation revealed that an attacker indeed did obtain access to the website’s user records through a software flaw.

The "SQL injection" flaw was located in the Forum Runner add-on for vBulletin, widely-used web forum software that powers more than 100,000 community websites on the internet. The vulnerability was known and publicized, but the company that builds Ubuntu, Canonical, had failed to apply the patch.

“The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers,” Canonical's security team said in a blog post. “This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table.”

The user table contained usernames, email addresses and internet Protocol addresses for 2 million users. 

Although the community relied on Ubuntu's single sign-on service, the passwords were hashed and salted. The encryption technique turned them into randomized strings of data, according to ZDNet. But the company's disclosure notice did not say which hashing algorithm was used -- some algorithms, like MD5, can be easily cracked.

The company announced the security incident on its website on July 15.

"While there is no immediate danger to Ubuntu Forums accounts, users should be wary of potential spam and phishing emails that might attempt to distribute malware. Attackers typically launch such attacks following large data breaches, since they can take advantage of known relationships between users and the compromised websites," according to PC World.