Why is VB.org and VB.com being silent on the fact that both were hacked yesterday, and access to customer data was gained? What is being done to protect VB license holders? You ought to at least email people so they can change their passwords rather than leaving it up to some outside source for us to find out about this!

Unfortunately, I don't have much faith ya'll will let this post stick around.

How do you know they were hacked?

Because the people who did it posted screenshots of the contents of the file systems. Macrumors was compromised as a result of this as well, and 800,000 user accounts possibly compromised. They made it a point to announce it so their users could take again, Internet Brands has not. Inexcusable!


https://www.facebook.com/inj3ct0rs/posts/611793255548704
This is the group that did it and they include the screen captures from the shell they managed to install on the servers.

Again, I ask... why the silence? This explains why the VB.org site was mysteriously down last night!

Well I never..

I wouldn't solely trust a screenshot if my life depended on it.

I seriously doubt such a thing happened, but if it truely did, I am sure we would be advised of it.

I guess he's referring to this http://1337day.com/exploit/description/21518
Kinda scary, 0days.

I seriously doubt such a thing happened, but if it truely did, I am sure we would be advised of it.

1. A contractor for VB has already admitted it, then tried to bluff it out by saying it was "beta" installation on their server which was hit. But BOTH .com and .org were down, and screen shots show access to non-beta installations. http://www.theadminzone.com/forums/showthread.php?t=105650

2. It happened at the same time both VB.com and VB.org sites were mysteriously down.

3. The Mac site has already widely reported in the press.... then again they did the right thing and told their users immediately.

4. Just a few weeks ago the install directory exploit was reported by VB, and they pulled a similar move not broadcasting that there was an exploit until it was already widely known. I did consulting cleaning up hacked VB sites. This is not something I care to do with my consulting time, because it's money out of small business pockets they should not have had to spend!

I have defended the product for a long time when others haven't --- this I cannot.

I read the same thing here -> http://www.theadminzone.com/forums/showthread.php?t=105650


Can anybody confirm this is true?

From what i can see its not true

From what i can see its not true

And what do you see? Did you read this somewhere? Has VB come out and said this did not happen? Or does "from what you can see" mean you "hope" its not true??

Why the silence?

Because nobody is saying anything of course...

From what i can see its not true

Did you even read that thread? One of VB's guys admitted it.

1. A contractor for VB has already admitted it, then tried to bluff it out by saying it was "beta" installation on their server which was hit. But BOTH .com and .org were down, and screen shots show access to non-beta installations. http://www.theadminzone.com/forums/showthread.php?t=105650

2. It happened at the same time both VB.com and VB.org sites were mysteriously down.



You are making stuff up here.

1. I stated (correctly) that the server they hacked was an old QA stage server.

2. The server was not hacked yesterday, the screenshots date it at sometime in October (more than likely they did it even earlier, just took later shots).

3. vb.org & vb.com were last down (12th/13th depending on your timezone) because of scheduled work on the database server.

You are free to discuss this situation on vb.org, you are not free to make up stuff.

One little inconsistency here is that the facebook announcement says the vulnerability is in vB4 and vB5 and they hacked vBulletin.org. vBulletin.org uses vb3.6.12. Why didn't the announcement say the vulnerability is in vB3 as well?

If you're so sure this is true then buy their patch (NOT!!!!!)

All those wishing to buy a vulnerability and patch your forum : h t t p ://1337day.com/exploit/description/21518

You are making stuff up here.

1. I stated (correctly) that the server they hacked was an old QA stage server.

2. The server was not hacked yesterday, the screenshots date it at sometime in October (more than likely they did it even earlier, just took later shots).

3. vb.org & vb.com were last down (12th/13th depending on your timezone) because of scheduled work on the database server.

You are free to discuss this situation on vb.org, you are not free to make up stuff.

IB really needs to invest in CRM (last sentence of your reply). There is a big difference between "making stuff up" and not having information which agrees with yours.

Test QA system or not the screen shots show access to vb.org, vb.com, flyertalk and 5series.net information. What exposure did users of these forums have?

And what do you see? Did you read this somewhere? Has VB come out and said this did not happen? Or does "from what you can see" mean you "hope" its not true??

Its not true because the ss they show are not vb just something they made up to look like hackers.

Its not true because the ss they show are not vb just something they made up to look like hackers.

The crackers used the VB database to get a password to a person who is a moderator on MacRumors. They then used to this to hack MacRumors because the moderator used the same password on both sites. MacRumors admitted to the hack. Or are they just making it up too?

I am talking about vbulletin offical site when did I ever start talking about MacRumors as you started to say this on your first post that vbulletin.com and vbulletin.org have been hacked

November: THE month for conspiracy nutter bilge water and bile!

I am talking about vbulletin offical site when did I ever start talking about MacRumors as you started to say this on your first post that vbulletin.com and vbulletin.org have been hacked

You aren't paying attention to what I said. The password to Macrumors to was obtained BECAUSE VB.com was hacked. Once someone obtains access to a vb database it doesn't take much computational power to crack the passwords. MD5 password protection is weak. It's been a known weak hash method since 1996, and more weaknesses found in 2004.

This is so laughable... If they soooo want us to believe any of this they should have been able to deface the sites in question without too much trouble.

It didn't happen.

This is so laughable... If they soooo want us to believe any of this they should have been able to deface the sites in question without too much trouble.

It didn't happen.

So when Macrumors announced they were hacked they were lying? Yes? No?

So when Macrumors announced they were hacked they were lying? Yes? No?I am talking about vB dot org. I don't give a red rat's ass about MacRumors, or any of the rumors about it.

And by the way, it is NOT a unusual event for a site to LIE about being "hacked."

You aren't paying attention to what I said. The password to Macrumors to was obtained BECAUSE VB.com was hacked. Once someone obtains access to a vb database it doesn't take much computational power to crack the passwords. MD5 password protection is weak. It's been a known weak hash method since 1996, and more weaknesses found in 2004.

So when Macrumors announced they were hacked they were lying? Yes? No?

See below:

You are making stuff up here.

I am talking about vB dot org. I don't give a red rat's ass about MacRumors, or any of the rumors about it.
And by the way, it is NOT a unusual event for a site to LIE about being "hacked."

Weren't you the one who just a few days ago lamented about how poor VB's security record has been?

Weren't you the one who just a few days ago lamented about how poor VB's security record has been?That's vB 4. Not vBulletin in general.

But at least in those instances there was a shred of proof, not just dummied up screenshots from illiterate script kiddies, posted on facebook.

That's vB 4. Not vBulletin in general.

You're not serious, are you? Here are 50 vulnerabilities in 3.x versions, and that's just through 2007!
http://www.cvedetails.com/vulnerability-list/vendor_id-781/product_id-1338/Jelsoft-Vbulletin.html

But at least in those instances there was a shred of proof, not just dummied up screenshots from illiterate script kiddies, posted on facebook.

http://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/

You're not serious, are you?Since you believe this so strongly, almost religiously and without a shred of actual proof - I am sure you bought the illiterate script kiddie's "patch" and installed it, right?

Did it occur to you the "patch" when installed, is actually the exploit? It's called "social engineering" and it's a tried and true form of "hacking."

Interesting you believe the MacRumors claim, but dismiss Paul's claim. One of them fits your paranoid rant, the other doesn't.

You're not serious, are you? Here are 50 vulnerabilities 3.x versions, and that's just through 2007!
http://www.cvedetails.com/vulnerability-list/vendor_id-781/product_id-1338/Jelsoft-Vbulletin.html

A fair few of those that I see require some level of administrator privilege... administrators are gods.

So they hacked vb.com and vb.org, so they could get this dudes password and hack MacRumors

Sounds to me like stealing the keys to a Chevy to drive a Ford.

The claim: vBulletin dot org was hacked yesterday
The evidence: Zero

Result is attached.

And right now, because we refuse to believe the religious ramblings, he is desperately trying to figure out what sites we have, to feed us to the illiterate hax0rs...

Since you believe this so strongly, almost religiously and without a shred of actual proof - I am sure you bought the illiterate script kiddie's "patch" and installed it, right?

Did it occur to you the "patch" when installed, is actually the exploit? It's called "social engineering" and it's a tried and true form of "hacking."

Put away your lame assumptions about someone's experience and your weak lessons before you embarrass yourself. I know what social engineering is - I was dealing with people doing that stuff back in the 1980s, when I wasn't busy coding in assembler. That was well before I started one of the first enthusiast groups on the Internet.

Interesting you believe the MacRumors claim, but dismiss Paul's claim. One of them fits your paranoid rant, the other doesn't.

Macrumors has nothing to gain by saying they were hacked. They have credibility to lose, as a matter of fact.

Put away your lame assumptions about someone's experience and your weak lessons before you embarrass yourself. I know what social engineering is - I was dealing with people doing that stuff back in the 1980s, when I wasn't busy coding in assembler. That was well before I started one of the first enthusiast groups on the Internet.

Macrumors has nothing to gain by saying they were hacked. They have credibility to lose, as a matter of fact.And we still have ZERO evidence that vB dot org was hacked, as you claimed.

You never answered the question either. DID you buy the "patch" from the illiterate script kiddies and install it? If not, why are you promoting it?

You aren't paying attention to what I said. The password to Macrumors to was obtained BECAUSE VB.com was hacked. Once someone obtains access to a vb database it doesn't take much computational power to crack the passwords. MD5 password protection is weak. It's been a known weak hash method since 1996, and more weaknesses found in 2004.

Someone needs to chill pill. Stop posting crap like this your just making it worse for yourself

The crackers used the VB database to get a password to a person who is a moderator on MacRumors. They then used to this to hack MacRumors because the moderator used the same password on both sites. MacRumors admitted to the hack. Or are they just making it up too?
Where exactly have MacRumors admitted that they were hacked because (1) A moderator used the same password on vb.com and their site, (2) Assuming they cracked the password from vb.com, this moderator account was used to hack them ?

Again, I ask... why the silence? This explains why the VB.org site was mysteriously down last night!
So you believe that vB.org and vB.com were hacked, going by the time stamp on your post, Thursday.


2. It happened at the same time both VB.com and VB.org sites were mysteriously down.
And at the same time as MacRumors.


Test QA system or not the screen shots show access to vb.org, vb.com, flyertalk and 5series.net information. What exposure did users of these forums have?
And into a vBulletin 3 site using a vBulletin 4 exploit.


The crackers used the VB database to get a password to a person who is a moderator on MacRumors. They then used to this to hack MacRumors because the moderator used the same password on both sites. MacRumors admitted to the hack. Or are they just making it up too?

You aren't paying attention to what I said. The password to Macrumors to was obtained BECAUSE VB.com was hacked. Once someone obtains access to a vb database it doesn't take much computational power to crack the passwords. MD5 password protection is weak. It's been a known weak hash method since 1996, and more weaknesses found in 2004.
Then they used the information they hacked from vBulletin.org Thursday, to hack into MacRumors....on Monday???? (http://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/)


Either the hackers are time travellers or, as was repeatedly stated, hacking had nothing to do with .com and .org being down last night. Which would explain how you get into a vB3 site using a vB4 exploit. You don't.

You can see where this information all seems kinda suspicious, especially since MacRumors says they were hacked in a similar manner to the way Ubuntu Forums was hacked. And Ubuntu Forums was hacked in July (http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/). Again, there's no suspicious timing with vBulletin being down yesterday that coincides with either of these forums being hacked. In both cases, a moderator/administrator having their personal accounts hacked. Why would you need to hack vB.com and vB.org .... to hack a completely different website in the exact same manner? To borrow from ozzy's analogy, that's stealing the keys to the Chevy. Hot wiring the Ford. Then saying the Chevy made me do it. It doesn't make a lick of sense.

Unfortunately there IS some evidence about macrumours here http://www.informationweek.com/security/vulnerabilities-and-threats/macrumors-hacker-promises-stolen-passwords-are-safe/d/d-id/1112235? and their admission here http://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/ although i see no evidence of any vb hacking!
In the case of MacRumors, however, lol said that the vBulletin software wasn't to blame for the breach, saying instead that "the fault lied within a single moderator." That suggests that a MacRumors moderator chose an insecure password, which lol either guessed, or matched using a dictionary attack, which attempts to guess passwords by using an exhaustive list of likely matches.

If you read in that first link you posted, http://www.informationweek.com/secur.../d-id/1112235? (http://www.informationweek.com/security/vulnerabilities-and-threats/macrumors-hacker-promises-stolen-passwords-are-safe/d/d-id/1112235?) this is what the hacker said.

In the case of MacRumors, however, lol said that the vBulletin software wasn't to blame for the breach, saying instead that "the fault lied within a single moderator." That suggests that a MacRumors moderator chose an insecure password, which lol either guessed, or matched using a dictionary attack, which attempts to guess passwords by using an exhaustive list of likely matches.

lol already posted that in my post :-)

I really need to read more, or sleep more, I swear, all the text starts to look the same after awhile. :)

Interestingly, (Or perhaps not) I did a page source code reading of vB dot org while it was down. It showed a 101 error on the server, server down. As with maintenance. There was NO evidence of any "hacking."

Again - why didn't the script kiddies deface the site for their street cred? Why did they have to dummy up a screenshot for their claim?

Oh... Because it never happened.

Hi everyone,

I just wanted to stop by and make sure, we don't need to apply any patches or fixes to our sites, right? Still no vulnerabilities in 4.2.2?

Thanks very much

The best way to protect yourself is make sure you mods have safe passwords and comment out their ability to use HTML.

Hi everyone,

I just wanted to stop by and make sure, we don't need to apply any patches or fixes to our sites, right? Still no vulnerabilities in 4.2.2?

Thanks very much

No if you have the latest release, and deleted your install directory, you are fine. :)

No if you have the latest release, and deleted your install directory, you are fine. :)

I can confirm with vB 4.2.2 Installation, You cannot access Admin Control Panel without Delete your install directory?

Yeah I believe they added that in there, instead of just making you just delete the file.

So.. I have emails from vb.com asking to change my password and saying they where hacked.

--------------- Added 1384626102 at 1384626102 ---------------

take a look at vb.com cannot get in to change anything

Strange, I got in and changed my PW no problem, all I did was log in, using my old PW, and then changed it.

So.. I have emails from vb.com asking to change my password and saying they where hacked.

--------------- Added 1384626102 at 1384626102 ---------------

take a look at vb.com cannot get in to change anythingNo problem on this end... And only email i have from them lately is a birthday greeting.

Yeah vb.com gave out a duff link but if you login and go here go here http://www.vbulletin.com/forum/settings/account#usersettings-module-top you'll be golden!

--------------- Added 1384626578 at 1384626578 ---------------

I got this from them a few minutes ago
This is an important message about your account.

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.
To regain access to your account:
1.Visit the vBulletin forums at http://www.vbulletin.com/settings/account
2.Enter in your existing password followed by your new password, twice for confirmation.
3.Save this page at the bottom.
Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.
If you have any additional questions or concerns, please feel free to contact our support team at http://www.vbulletin.com/go/techsupport or support@vbulletin.com.

Sincerely,

Wayne Luke,
vBulletin Lead Technical Support.

Helping You Build Better Communities,

It won't let me change my password on .com

Few things are worse than and yet more humorous than, hax0r paranoia.

So I'm jus wondering - I just got the email ( screenshot below) . Did this happen or not? I was sort of waiting to see if something would be posted in my admincp or something...

https://vborg.vbsupport.ru/external/2013/11/29.png

My gut was that this is a phishing email but I don't know....

So I'm jus wondering - I just got the email ( screenshot below) . Did this happen or not? I was sort of waiting to see if something would be posted in my admincp or something...

https://vborg.vbsupport.ru/external/2013/11/29.png

My gut was that this is a phishing email but I don't know....

When you go to Vbulletin.com forum then you will have a notice saying they are forcing people to change their passwords. So I would say the email is somewhat legit.

Better off to be safe that sorry, But I would not follow the links in the email just to be safe, navigate to the site like you normally would.

lol so they did get hacked.. haha

I was asked to change my password when getting on just now because it's been 100 days and it therefore expired.

Must have been a recent change for security reasons, which I have no problems with, because I only update my passwords about every six months (twice a year), and I didn't get that message before.

So wait, they went ahead and sent out emails to change your password just to sate hacking paranoia?

The best way to protect yourself is make sure you mods have safe passwords and comment out their ability to use HTML.

How do I do that?

So wait, they went ahead and sent out emails to change your password just to sate hacking paranoia?

You and I both know what's happening here, and it's not that. :(

Put away your lame assumptions about someone's experience and your weak lessons before you embarrass yourself. I know what social engineering is - I was dealing with people doing that stuff back in the 1980s, when I wasn't busy coding in assembler. That was well before I started one of the first enthusiast groups on the Internet.



Macrumors has nothing to gain by saying they were hacked. They have credibility to lose, as a matter of fact.

Hey bud, welcome to 2013... this is not the 1980's so continuing to spread rumors when you're not up to par on the situation and apparently do not know the full details or extent of said situation is simply not the right thing to do in my opinion... why do I say that?

There is a big difference between "making stuff up" and not having information which agrees with yours.

^ Case in point... I don't know the full extent of the situation and if I don't then neither do you so it does not matter if other information does not agree with "yours". Paul would know more then either of us - assumptions and justifications to what you see are fine but continuing to post them as rumors is not because at the time of your initial posts the most info we all had on this was that released by the so-called "hackers" and does everyone take what they say at face value? Pffffft I hope not so neither should you have see my point? :p

So wait, they went ahead and sent out emails to change your password just to sate hacking paranoia?

Apparently because Paul already stated they hacked a QA server... so yes ladies and gents if it was an old copy of vb.com database on that QA server and your passwords had not changed then common sense tells us that you need to change your passwords, do that regardless of what you read.

DO NOT USE THE SAME PASSWORD FOR EVERY SITE! Buy a cheap black ledger book from an office supply store/wal-mart etc and write down the passwords for each site, keep in your desk drawer for easy reference. You can also have your broswer remember passwords, I do the ledger book because if the right virus hits your pc then all that info is known as well.

You and I both know what's happening here, and it's not that. :(

You don't know neither does DJ :p.

DO NOT USE THE SAME PASSWORD FOR EVERY SITE!

I actually do this to an extent.

I use the same password for all sites I'm a member of (e.g., YouTube), However, on sites where I'm a staff member, such as KH-Flare, I use a different password, which is currently the only site I have a different password on. The other sites I'm staff on aren't big / don't have a lot on them at the moment, so I use the same password as places I'm of a member of, but it's a secure password. Then there are also sites that you're staff on, but you're only a sectional moderator that, of course, doesn't have access to the admin or moderator control, so it doesn't really matter.

I actually look at the security more than the uniqueness when it comes to passwords

What hasn't been disclosed and concerns me is whether the hackers had access to customer records and financial information, and the support system which must contain a large amount of fairly sensitive customer information...

Not really sure what financial information you mean.

All the log files that were examined do not show any attemped access of customer data in the support system, they basically targeted the vb user table.

Hey bud, welcome to 2013...

Welcome to I was right.

this is not the 1980's so continuing to spread rumors when you're not up to par on the situation and apparently do not know the full details or extent of said situation is simply not the right thing to do in my opinion... why do I say that?

Had you followed all the resources out there about it you'd have seen there was than just screen shots. But you and others were too busy looking to defend VB rather than following and reading everything at the resources, such as the long thread over at Mac Rumors where there was plenty of info.

The right thing was not IB employees initially taking the Baghdad Bob role.

Just to keep this clear...

No one has yet said vbulletin DOT COM wasn't possibly hacked. The meter was this site, vbulletin DOT ORG.

From the link in post #3, there is NO claim of vb dot org being part of this "hack." And many here have expressed their doubts a exploit for version 4 would also automatically mean this site which uses version 3 was also "hacked."

As far as I can tell, only the author of the first post is claiming it's also vB dot org which was "hacked."

There isn't one shred of proof of that and it's not even a claim the illiterate script kiddies with their dummied up screenshot and their "patch for sale" are even making.

Just got this e mail:
This is an important message about your account.

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.
To regain access to your account:

Visit the vBulletin forums at http://www.vbulletin.com/settings/account
Enter in your existing password followed by your new password, twice for confirmation.
Save this page at the bottom.
Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.
If you have any additional questions or concerns, please feel free to contact our support team at http://www.vbulletin.com/go/techsupport or support@vbulletin.com.

Sincerely,

Wayne Luke,
vBulletin Lead Technical Support.

Helping You Build Better Communities,

So... can someone explain how exactly they hacked vb.com. Can we have some more detailed answers?

Posts edited or removed.

I will repeat one more time, this thread is not for made up nonsense.

Stick to facts, dont go making things up.

So... can someone explain how exactly they hacked vb.com. Can we have some more detailed answers?In post number 3 of this thread you will find a link to a facebook posting where a "hacking" claim is made. Images in that link send you to dummied up screenshots that could be anything.

Not really sure what financial information you mean.

All the log files that were examined do not show any attemped access of customer data in the support system, they basically targeted the vb user table.

Was this an SQL injection and not a hack or vulnerability?

There isn't one shred of proof of that and it's not even a claim the illiterate script kiddies with their dummied up screenshot and their "patch for sale" are even making.

The screen shots the script kiddie provided show the VB.org database in the list.

The screen shots the script kiddie provided show the VB.org database in the list.I never saw that... I saw dummied up screenshots I could make for ya, to show anything I wanted you to see.

There was nothing at all about vB dot org in any of it.

Posts edited or removed.

I will repeat one more time, this thread is not for made up nonsense.

Stick to facts, dont go making things up.

Which one is a fact? A single server was hacked as you claim, or servers as the notice from VBulletin claims? Just curious, since my post about others being wrong was considered enough nonsense to remove, but not those calling me paranoid, a conspiracy nut, or any of the others slamming me. Hardly seems impartial.

Which one is a fact? A single server was hacked as you claim, or servers as the notice from VBulletin claims? Just curious, since my post about others being wrong was considered enough nonsense to remove, but not those calling me paranoid, a conspiracy nut, or any of the others slamming me. Hardly seems impartial.Post #70 was edited by Paul, a post of mine was deleted....

You never answered my questions. Have you bought their "patch?" If not, why are you promoting it?

Was this an SQL injection and not a hack or vulnerability?
They broke into an old stage server, mainly used by QA for test installs of vB4 & vB5.
Its not know exactly how, but at one point there were in the region of 100 old installs on it, so anyone of them could have been used.

The best guess from evidence is that they hacked it sometime in late summer, and at some point between then and early October they uploaded adminer.
They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.

After that it appears they moved on (they deleted adminer). Nothing was known about this until their facebook post the other day.

I never saw that... I saw dummied up screenshots I could make for ya, to show anything I wanted you to see.

There was nothing at all about vB dot org in any of it.

VBulletin has acknowledged in the email they sent that systemS were hacked. In light of this this admission by VB the cracker's screenshot have credibility. Apparently credible enough for VBulletin.ORG to require everyone to change their password when logging in.

They broke into an old stage server, mainly used by QA for test installs of vB4 & vB5.
Its not know exactly how, but at one point there were in the region of 100 old installs on it, so anyone of them could have been used.

The best guess from evidence is that they hacked it sometime in late summer, and at some point between then and early October they uploaded adminer.
They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.

After that it appears they moved on (they deleted adminer). Nothing was known about this until their facebook post the other day.

Thanks for the clarification Paul.

Post #70 was edited by Paul, a post of mine was deleted....

You never answered my questions. Have you bought their "patch?" If not, why are you promoting it?

No, I bought nothing from them. Not once have I promoted anything, where in the world did you get that from?

I posted here because the hack was mentioned on another site, Paul M. knew about it there, and yet even after this there was silence from VB com/org. I posted to bring it to light, in part because the last time VB stalled on getting the word out about hacks thousands of VBulletin based sites got hacked.

Paul M. acknowledged the hackers gained access to vb.org's database. That makes you wrong.

Enough of the bickering, this is not the school playground.

I have made it quite clear what is known.
If you have genuine, sensible, questions to ask, or things to say you are are welcome, any more childish arguments and untruths will be removed.

Welcome to I was right.

Had you followed all the resources out there about it you'd have seen there was than just screen shots. But you and others were too busy looking to defend VB rather than following and reading everything at the resources, such as the long thread over at Mac Rumors where there was plenty of info.

The right thing was not IB employees initially taking the Baghdad Bob role.

No you were not right, mistaken possibly... while assuming too much it seems.

The screen shots the script kiddie provided show the VB.org database in the list.

Well now a plain run of the mill fashion script kiddie could not do this, it was someone w/ knowledge and expertise enough to know where to look and what to look for and how to "dig" for it.

Which one is a fact? A single server was hacked as you claim, or servers as the notice from VBulletin claims? Just curious, since my post about others being wrong was considered enough nonsense to remove, but not those calling me paranoid, a conspiracy nut, or any of the others slamming me. Hardly seems impartial.

The reason why is your spreading rumors and paranoia around like wildfire which is causing panic if nothing else. Paul said a QA server was hacked, it had around 100 variations of old installs/database copies on it for testing purposes so therefor it was best for vbulletin.com and vbulletin.org to have us all change our passwords.

Until we all know more lets try and be civil, sorry if I came across wrong initially motorhaven but my points are still valid i.e. you only know of this because of what you've read and you're not Paul nor anyone else on staff at vbulletin.com so you didn't know "for sure" at time of posting.

I changed my password here almost immediately (better safe than sorry!) yet when I logged in today I get told my password is more than 100 days old??

Is this normal behaviour Paul with this version of vb when password change is forced?

Last question, did or could the hacker have gotten our customer numbers and license numbers?

in canada we have laws where companies must immediately disclose they got hacked. Do you guys not have that down there in the states? seems like people are scared to put out an official declaration of what happened that can be verified by an audit by law punishable by jail or fines if lieing.

in canada we have laws where companies must immediately disclose they got hacked. Do you guys not have that down there in the states? seems like people are scared to put out an official declaration of what happened that can be verified by an audit by law punishable by jail or fines if lieing.

Many states have disclosure laws. California, where IB is based, does: SB 1386

Welcome to I was right.
Dude, you were epically wrong. All you knew was what they said. And what they said turned out to (surprise) not be entirely true. You even had the order of events all wrong.


Many states have disclosure laws. California, where IB is based, does: SB 1386
Here's the thing. You found out about it the same day vB found out about it. Then asked why the silence. You didn't even give them a day to do basic research to find out if it was even true or actionable. This is why you got jumped on by the rest of us. We like a little proof with our outrage. And low-fat creamer.

So I have a question - is your account on vbulletin.com the same as your account on vbulletin.com/forum?

Because now I"m not even sure I have an account on vbulletin.com/forum - especially since I can't retrieve it...

So I have a question - is your account on vbulletin.com the same as your account on vbulletin.com/forum?

Because now I"m not even sure I have an account on vbulletin.com/forum - especially since I can't retrieve it...

no it is different and I would assume in a different database all together, but I don't know about the last part.

So I have a question - is your account on vbulletin.com the same as your account on vbulletin.com/forum?

Because now I"m not even sure I have an account on vbulletin.com/forum - especially since I can't retrieve it...

Paul already clarified this earlier in the thread.

Not really sure what financial information you mean.

All the log files that were examined do not show any attemped access of customer data in the support system, they basically targeted the vb user table.
So, no. They're two different accounts.

No if you have the latest release, and deleted your install directory, you are fine. :)

Thank you, ozzy!

--------------- Added 1384697544 at 1384697544 ---------------

Hi, upon entering this subforum (vB4 General Discussions), I was prompted with a password popup saying I needed to authenticate myself. Was this a server glitch, or is there still some sort of malicious / phishing code on the servers?

Thanks

--------------- Added 1384697599 at 1384697599 ---------------

Here is a screenshot

https://vborg.vbsupport.ru/external/2013/11/28.png

--------------- Added 1384697663 at 1384697663 ---------------

This is actually happening whenever I load any subforum. The rest of the site (threads, forum home, etc) don't seem to be effected.

Got the same here since this morning.

I would not enter anything in that box till we know what is going on.

I had it also, seems to have gone now.

Yeah I believe Lynne deleted the announcement that was causing the issue. :)

Cool

I have only asked for the details for which I believe I have the right as the customer who paid for the licenses and I have only pointed to the things you wrote yourself not assuming for sure anything. But you removed it from my post. Wow... you are hilarious vb team. The customer data is now stolen in a 3rd party hands and you try to silent CUSTOMERS who just ask for some details/support. Way to go... huh. Not nice.

If you feel you need clarification on Paul's decision, please do so in private.


Staff decisions are final. Ultimately, staff has complete discretion over what is and is not acceptable on the site.
Public discussions of staff decisions are not permitted on the site. If you have any concerns or queries relating to a staff decision, please take it up in private with a member of the site administration team.

I think a bit of some good manners applies to everyone, no?

The customer data is now stolen in a 3rd party hands That's not known for sure. Read paul's posts, what he says is what they know. he never said the customer data is in 3rd party hands.

That's not known for sure. Read paul's posts, what he says is what they know. he never said the customer data is in 3rd party hands.

Doesn't this post from Paul mean customer data is in 3rd party hands?

They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.

Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.

Doesn't this post from Paul mean customer data is in 3rd party hands?



Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.Yes thanks for pointing that out, that slipped by me. My apologies. It sure does sound like he is saying that.

Doesn't this post from Paul mean customer data is in 3rd party hands?



Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.
Nope, Paul said that they targeted the user tables. The forum. Not customer data. Not the same thing.

Nope, Paul said that they targeted the user tables. The forum. Not customer data. Not the same thing.

Well I am a vBulletin customer, and it is my data :) I get what you are saying though, I'm just being a spaz - at least it's not our credit card or license info.

But the thing that is essentially concerning me now the most here in this whole mess actually is:
Supposedly if they had access to write/modify files on vb.com and vb.org servers (By the way, isn't it the same server? Or Vb.com is on separate server from Vb.org?) are all downloadable scripts, mods, templates safe? I mean, assuming they had that access they could for example change certain mods or themes code to put vulnerabilities into them so they can hack other websites powered by vbulletin later.

So, ideally if vb staff knows they had such access vb staff should do the diff of all downloadable content against the backups from the time before it happened to make sure people are safe when downloading and installing new content on their forums/servers.
Also I would be more calm if they (you - I guess people in charge/responsible for vb here read this) could make a statement assuring your customers that everything is safe and nothing was modified or if there was anything modified that you took care to fix it.

They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.

How did they crack the MySQL password - how is the QA server linked to the live DB?

I'd rather you elaborated on that, with an explanation of "we made a mistake/a config file was left on the QA server/something else etc" rather than leaving the possibility of a vB exploit open. Even if it was only a QA server hacked, how did they then escalate that to the live DB?

But the thing that is essentially concerning me now the most here in this whole mess actually is:
Supposedly if they had access to write/modify files on vb.com and vb.org servers (By the way, isn't it the same server? Or Vb.com is on separate server from Vb.org?) are all downloadable scripts, mods, templates safe? I mean, assuming they had that access they could for example change certain mods or themes code to put vulnerabilities into them so they can hack other websites powered by vbulletin later.

So, ideally if vb staff knows they had such access vb staff should do the diff of all downloadable content against the backups from the time before it happened to make sure people are safe when downloading and installing new content on their forums/servers.
Also I would be more calm if they (you - I guess people in charge/responsible for vb here read this) could make a statement assuring your customers that everything is safe and nothing was modified or if there was anything modified that you took care to fix it.
If you re-read Paul's explanation, you'll see nothing was modified. vB.org tables were read, not modified. And the only tables read were user tables.

How did they crack the MySQL password - how is the QA server linked to the live DB?

I'd rather you elaborated on that, with an explanation of "we made a mistake/a config file was left on the QA server/something else etc" rather than leaving the possibility of a vB exploit open. Even if it was only a QA server hacked, how did they then escalate that to the live DB?
Adminer lets you manage database files from one file. I've not used it, but if they had a bunch of cloned databases to look at, it was probably simple reverse engineering.

The databases are on a different server than the files (typical setup if you have more than one server).

The databases are on a different server than the files (typical setup if you have more than one server).

So how did they crack the the live DB MySQL? Was the password listed somewhere on the QA server or do you not know how it was done?

Paul said
"They broke into an old stage server, mainly used by QA for test installs of vB4 & vB5.".

If they broke into the server, the QA DB password could be gleaned by the vB config file. Hopefully it wasn't the same db user and password in use for vB.com or vB.org.

In the past, the QA team has copied the vb.com live database (or parts of it) to one of their servers, and tested installations.

Maybe that was done, and the db userid's/passwords were brought along with them. That would have given them access to the vb.com DB.

But I would think the vb.com DB has restricted access via the hosts table or something.

If they broke into the server, the QA DB password could be gleaned by the vB config file. Hopefully it wasn't the same db user and password in use for vB.com or vB.org.
They are not the same user or password, and never have been.
We have an idea how they may have got the details, and its not via anything vbulletin related.

They are not the same user or password, and never have been.
We have an idea how they may have got the details, and its not via anything vbulletin related.

Was my question not worth answering? This hack is being reported in mainstream tech media, and vB can't be bothered to give proper answers or alleviate concerns?

http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/

Arasetechia is mainstream tech media?

I still don't understand what additional information you want/need. I doubt they'll give you the exact method.

Why do people keep trying to find ways to give VB passes on this?

Needing to know if the hack was due to an exploit in VB itself is a hugely legitimate concern.

Is Information Week mainstream tech enough for you? http://www.informationweek.com/security/attacks-and-breaches/vbulletincom-hacked-customer-data-stolen/d/d-id/1112660

If not, how about PC World? http://www.pcworld.com/article/2064440/hackers-claim-they-used-zeroday-vulnerability-to-breach-vbulletin-support-forum.html

Paul said in post #111 the recent issues are not vBulletin related.

Paul said in post #111 the recent issues are not vBulletin related.

No he doesn't - he says IB might have an idea of how the attacks may have been attempted.

Do you only read what you think you see or what is actually there. "And its not anything vbulletin related."

They are not the same user or password, and never have been.
We have an idea how they may have got the details, and its not via anything vbulletin related.

Do you only read what you think you see or what is actually there. "And its not anything vbulletin related."

Part of IBs great plan to be offensive to customers? This is a serious issue, and I'm asking legitimate questions. Please don't insult me.

Paul's post does not say that the hack wasn't caused by a vB exploit - it says IB may have an idea about something that might have caused the hack. It then says what they're looking into isn't a vB exploit.

That isn't the same as saying the hack wasn't caused by a vB exploit. Unless Paul gives us more information, we don't really have any idea whether a new exploit was used. The level of communication from IB is so bad that not even media sources can get a straight answer on what's happening - are customers remotely valued by this company or have even the staff given up on the product?

Paul's post does not say that the hack wasn't caused by a vB exploit - it says IB may have an idea about something that might have caused the hack. It then says what they're looking into isn't a vB exploit.

We have an idea how they may have got the details, and its not via anything vbulletin related.

I give up.

Think this thread has runs it's course as it's turning in to bickering which clouds the facts.

Why do people keep trying to find ways to give VB passes on this?Which by the way I owe you a apology as well, my reaction to what I saw as your "chicken little" approach wasn't my best efforts here. So I apologize and I hope you'll accept.

HOWEVER, once again I believe some of us here are overblowing this issue and asking for things vB dot org either can't give or won't give due to ongoing security issues...

Anyhow, mea culpa.

The English language may not be everyone's strong point, but Paul's statement is not a definitive statement.

It does not say the hack was definitely not caused through a vBulletin exploit, even if you'd like it to say that, because he doesn't even claim to know exactly what happened.

Thread closed.

If someone wants to open a new discussion on this same topic then so be it however lets keep it very calm and collected the next time around if not I'll promptly close that one as well.

Edit: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4007719-regarding-claims-of-new-0-day-exploits-in-vbulletin