Although it often seems easy to point to horrible examples of Internet security when it comes to hacks, even when many good practices are followed and safeguards are put in place, that’s not always enough to stop yourself from being targeted. Take the case of vBulletin, which despite encryption and its responses to being targeted several times in the past, was still vulnerable enough to have the account information of nearly half a million users copied away.
As part of the announcement, vBulletin issued a mandatory password reset for everyone on its system, stating that the hacker in question — who goes by the name Coldzer0 (a good Bond villain name, actually) — may have accessed encrypted password data, as well as other customer information.
The hacker certainly had access to emails and other basic account data though, as ColdZer0 posted a screenshot with half-redacted emails and usernames to prove that they weren’t kidding. In total the hacker claimed to have gained the personal information of some 479,895 users.
However, what is potentially more worrying is the patch that vBulletin issued alongside this announcement. Although it is being tight-lipped about what the hotfix actually does shore up, research from Ars suggests it may be a near three-year-old exploit that has finally been discovered by the people that matter.
If vBulletin systems are as vulnerable as this would make it appear, applying that patch should be a mandatory, speedy upgrade for anyone running a vBulletin install. It would also make sense for anyone with an account on any vBulletin forum on any site, to change their details and to do so anywhere where that information is re-used.
As per usual, hacks like this can leave end users feeling vulnerable and helpless, but that’s why it’s always important to practice good security with your own details. Use reasonably complex and hard-to-guess passwords and don’t re-use them.