My friend just got hacked, and the dude was able to get his backups through a exploit or something and he was using 3.5.4 i hope there will be a fix for this soon as i dont want that happening to me. He somehow got the database information

i dont think it was a exploit in vbulletin it was more then likely a exploit on his server

If he's backing up to the filesystem somewhere underneath the forum root, really all the "hacker" had to do was get the URL. Eg if his backup path is httpdocs/forums/backups/backup.sql, it's as simple as navigating to whatever.com/forums/backup/backup.sql and downloading it. The problem there isn't vBulletin, it's just bad admin policy.

Useless side trivia: This was a big deal on MS servers, because in older versions of windows you could exploit the print buffer and force your way into the shell if the machine was running IIS. Would-be hackers, once in the shell, could copy whatever they'd like into the web structure and download whatever they wanted that way.

Could you pm me a link to his site please.