Two Million Passwords Breached in Ubuntu [forum] Hack

[RV_]

If you frequent the Ubuntu forums and use the same password on other websites you might want to take immediate action.

 

Excerpt:

 

"Linux users who frequent the Ubuntu forums may want to change their passwords following news that an attacker was able to breach the service and its two million users.

 

Jane Silber, Chief Executive Officer at Canonical,the company that maintains the service, acknowledged on Friday that a known SQL injection vulnerability in Forumrunner, an add-on in the Ubuntu forums that hadn’t been patched, led to the attack.

While Silber claims that no active passwords were accessed in the breach, changing a password after incidents like this is generally viewed as a de rigueur practice.

 

Once in, the attacker had the ability to inject formatted SQL to the Forums database and read from any table in the database. Silber claims it appears the attacker only focused on one table in particular however: the ‘user’ table, which contains the usernames, passwords, and IP addresses of two million users. The attacker downloaded portions of the table, Silber claimed, but cautioned that in addition to being old, the passwords were also hashed and salted ‘random strings,’ something that could make decoding them more difficult.

 

Silber claims Ubuntu is certain the attacker wasn’t able to access any code belonging to the operating system, its update mechanism, or access any valid user passwords.

 

Silber is less certain – but believes the attacker was not able to escalate past remote SQL read access, gain remote SQL write access, gain shell access to the Forums database, gain shell access to the Forums servers, or gain access to any other Canonical or Ubuntu services.

 

Canonical began looking into the incident last Thursday, when a member of the Ubuntu Forums Council informed the company’s information security team that someone claimed they had a copy of the Forums database. The team took the site down for a period of time after the company was able to confirm there was a leak."

 

There is more in the full article here: https://threatpost.com/two-million-passwords-breached-in-ubuntu-hack/119335/

 

Be advised that the article is a bit misleading. Here is the UBUNTU statement that prompted it:

 

"What the attacker could not access

 

We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.

 

We know the attacker was NOT able to gain access to valid user passwords.

 

We believe the attacker was NOT able to escalate past remote SQL read access to the Forums database on the Forums database servers.

 

We believe the attacker was NOT able to gain remote SQL write access to the Forums database.

 

We believe the attacker was NOT able to gain shell access on any of the Forums app or database servers.

 

We believe the attacker did NOT gain any access at all to the Forums front end servers.

 

We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services."

 

There are only two items they are 100% sure of that use the term know, as opposed to believe in the others. That post is here on Canonical's website: https://insights.ubuntu.com/2016/07/15/notice-of-security-breach-on-ubuntu-forums/