As part of the announcement, vBulletin issued a mandatory password reset for everyone on its system, stating that the hacker in question — who goes by the name Coldzer0 (a good Bond villain name, actually) — may have accessed encrypted password data, as well as other customer information.
The hacker certainly had access to emails and other basic account data though, as ColdZer0 posted a screenshot with half-redacted emails and usernames to prove that they weren’t kidding. In total the hacker claimed to have gained the personal information of some 479,895 users.
However, what is potentially more worrying is the patch that vBulletin issued alongside this announcement. Although it is being tight-lipped about what the hotfix actually does shore up, research from Ars suggests it may be a near three-year-old exploit that has finally been discovered by the people that matter.
If vBulletin systems are as vulnerable as this would make it appear, applying that patch should be a mandatory, speedy upgrade for anyone running a vBulletin install. It would also make sense for anyone with an account on any vBulletin forum on any site, to change their details and to do so anywhere where that information is re-used.
As per usual, hacks like this can leave end users feeling vulnerable and helpless, but that’s why it’s always important to practice good security with your own details. Use reasonably complex and hard-to-guess passwords and don’t re-use them.
