vBulletin vulnerabilities expose 27 million accounts, including gamers on mail.ru

LeakedSource disclosed 11 new data breaches on Wednesday

stbasils cathedral moscow russia

St Basil's Cathedral, Red Square, Moscow

Credit: flowcomm

Recently exploited software vulnerabilities in vBulletin have exposed more than 27 million accounts across nearly a dozen websites.

A majority of the compromised accounts are linked to three games on mail.ru. In addition to the gaming accounts, more than 190,000 accounts were exposed on expertlaw.com, as well as more than 100,000 accounts on gamesforum.com

Combined, the compromised mail.ru domains allowed LeakedSource to add 25,133,805 accounts to their database on Wednesday. At the time of notification, they had managed to crack 12,463,300 passwords.

The compromised mail.ru accounts were exposed recently (August 2016) and are from the gaming side of the company. CFire, Parapa, and Tanks accounts were all exposed. The Parapa forums were also compromised.

Along with passwords, the mail.ru records include usernames, email addresses, phone numbers and IP addresses. The other accounts compromised include usernames, email addresses, IP information, passwords, and birthdays.

"Not a single website used proper password storage, they all used some variation of MD5 with or without unique salts," LeakedSource said.

All of the compromised domains were running unpatched vBulletin software, which allowed attackers to target SQL Injection vulnerabilities in the Forumrunner add-on on vBulletin installations older than 4.2.2 or 4.2.3. These problems were patched in June.

Moreover, a recent security update impacting the same software versions running on the compromised domains was issued on August 1, which if exploited would allow malicious attachment uploads.

"Sadly, this compromise is not a surprise. Too often, companies know valuable applications and systems are vulnerable yet due to the risk of disrupting operations to apply a fix, critical vulnerabilities are not properly patched. They're behavior results in a gamble that they won't be hacked," said Ryan Stolte, CTO and co-founder at Bay Dynamics, in a statement.

"IT and security teams are also not coordinating and communicating with the line-of-business application owners who govern those highly valued assets so that they are held accountable for remediating vulnerabilities. In other cases, there is simply an operational disconnect where they perform a vulnerability scan, find out which applications and systems are vulnerable, but the vulnerabilities are not prioritized and routed correctly based on the value of the asset at risk and who owns that asset."

In addition to the mail.ru domains, the remaining 2,315,283 accounts were exposed after the following domains were compromised via the same methods:

  • expertlaw.com
  • ageofconan.com
  • anarchy-online.com
  • freeadvice.com
  • gamesforum.com
  • longestjourney.com
  • ppcgeeks.com
  • thesecretworld.com (EN)
  • thesecretworld.com (FR)
  • thesecretworld.com (DE)

Salted Hash reached out to mail.ru and the others for comment.

In response to the LeakedSource disclosure, Funcom.com – the company behind TheSecretWorld.com, AgeofConan.com, Anarchy-Online.com and LongestJourney.com – issued a public notice and apologized to users.

The company has since patched their vulnerable vBulletin installations, but they're not able to determine when the data breach occurred. As such, they've reset all passwords on each of the impacted forums.

"We regret to inform you that the data breach includes e-mail addresses, user names, and encrypted passwords associated with forum accounts on these forums. Even though passwords were encrypted, these can be cracked and should be considered compromised. It is important to note that forum accounts and game accounts are separate and are stored on different servers using different security systems. Game accounts have not been compromised," the Funcom.com statement explained.

In a statement to Salted Hash, a spokesperson for Expert Law said they were not able to find evidence of a successful data breach in their system logs, but they're going to assume the worst has happened.

"I do patch the server and software and maintain security measures, and I have not found evidence of a successful intrusion, but we could be talking about an access that occurred prior to the implementation of a patch and that predates or is not reflected in my logs," the spokesperson said in an email exchange.

"I have not yet been able to produce certain unique email addresses from the database on the hackers' website but, as they say, tomorrow is another day and I have to operate on the assumption that the hack occurred."

Update:

A spokesperson from mail.ru says the leaked passwords are not valid. However, the company didn't address any of the questions sent by Salted Hash concerning the data breach. Their full statement is below:

"The passwords mentioned by LeakedSource are no longer valid. They are old passwords to the forums of game projects that Mail.Ru Group acquired over the years. All Mail.Ru Group’s forums and games have been using a secure integrated authorization system for a long time by now. These passwords have never been related to email accounts and other services of the company in any way. "

Update 2 (8/25/16 0800 EST):

Responding to the statement made by mail.ru yesterday, a spokesperson for LeakedSource said one of the most important questions to ask when examining a data breach that includes credentials, is 'are or were those passwords valid?'

So the statement from mail.ru is "akin to Microsoft buying Minecraft, integrating users into Microsoft Live and then the original Minecraft passwords being stolen. Yeah, that's nice Microsoft Live wasn't hacked but the data is still highly relevant and important."

In response to follow-up questions from Salted Hash, mail.ru accused LeakedSource of not playing fair and being irresponsible with their disclosure.

"We found out about this episode from the media, to which LeakedSource gave this information, breaking the responsive disclosure rule. This unspoken rule is used by white hat hackers all over the world: before publicly disclosing a vulnerability or leak, inform the service of it to give an opportunity to patch it," a mail.ru spokesperson said.

"This is how the real care for users works. Thus we presume that it's not actually users' protection LeakedSource is so worried about but rather publicity and commercial profit (from clients attracted to them as a result of security scandals and from subscriptions to their services they are very aggressively offering to companies involved in such episodes)."

When questioned about the risk of password reuse, mail.ru said that such a risk is always a factor and that the company will "check this database for password reuse as well and, if we find any matches, we’ll block the compromised accounts and force the owners to go through an access recovery procedure."

Speaking to questions regarding the storage of passwords via MD5 with known salts, mail.ru referred back to their original statement.

"As we said in our official statement, the database contains legacy passwords to the forums of game projects that Mail.Ru Group acquired over the years. All Mail.Ru Group’s forums and games have been using a secure integrated authorization system for a long time by now. These passwords have never been related to email accounts and other services of the company in any way."

In addition to the comments above, this story has been updated with additional statements from organizations compromised by the vBulletin vulnerability.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.