Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security Ubuntu

Ubuntu Linux Forums Hacked -- IP Address, Username, Email of 2M Accounts Compromised (betanews.com) 85

Canonical announced on Friday that Ubuntu forums have been hacked. The company adds that data such as IP address, username, and email address of over two million users have been compromised. BetaNews reports: Keep in mind, this does not mean that the operating system has experienced a vulnerability or weakness. The only thing affected are the online forums that people use to discuss the OS. Still, such a hack is embarrassing as it happened due to Canonical's failure to install a patch.In a blog post, Jane Silber, Chief Executive Officer, Canonical said, "after some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched."
This discussion has been archived. No new comments can be posted.

Ubuntu Linux Forums Hacked -- IP Address, Username, Email of 2M Accounts Compromised

Comments Filter:
  • online forums software can be hard to update if any mods / plug in's are in use.

    • by dgatwood ( 11270 )

      online forums software can be hard to update if any mods / plug in's are in use.

      The thing is, you shouldn't need to update them. The biggest problem on the Internet today, IMO, is that so much of our user-facing infrastructure software was written before modern database access techniques, such as the use of parameterized queries.

      In my personal life, the very first thing I do before I install any piece of client-facing software is audit the thing top to bottom, making sure every single SQL query uses parame

      • by Qzukk ( 229616 )

        The real problem is that if you google for a tutorial, half the tutorials out there were written before modern database access techniques and nobody ever takes them down, so new programmers become "educated stupid" (to borrow from the timecube guy).

        • I had to search the Internet to know what a parameterized query is.

          I am not a programmer but I have written some web applications in Perl.

          Turns out, I have been using parameterized queries all along for my inserts and updates.

          So, there you go, Internet documentation, at least for Perl's DBI appears to "educate smart"

  • by subk ( 551165 ) on Friday July 15, 2016 @11:04AM (#52518429)
    Love the metadata on the image they used in TFA.. "Hacker desk laptop hoodie hacking hooded". I guess a white dude with facial hair and a hoodie is automatically "hacking" if he has a laptop out.
  • by CaptainDork ( 3678879 ) on Friday July 15, 2016 @11:10AM (#52518473)

    ... those bastards.

    On a related note, my lawyer wants to know what the terms, "ubuntu," and "linux," and "forum," mean.

    Help here, please?

  • I read TFA and it seems like they had some good practices in place. True, there was some contiguous PII released that could be used, along with other data, to identify someone. That said, they didn't lose any passwords.

    Good on them. Sure, getting hit sucks, but this could have been a lot worse.

  • I hope they were not able to link my domain http://hackme.houghi.org/ [houghi.org] to my IP address, because that would mean I am extremely hackable.

    • Leaked IP address, username and email address. Hmm... Let's take a look at any Debian bug report submitted using reportbug [debian.org]:

      From kilobyte@angband.pl Wed Jul 13 16:11:52 2016
      Received: (at submit) by bugs.debian.org; 13 Jul 2016 16:11:52 +0000
      [...]
      Received: from tartarus.angband.pl ([2a03:9300:10::8])
      by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
      (Exim 4.84_2)
      (envelope-from <kilobyte@angband

  • They should have hosted this stuff on open source software - it's super secure
    • They should have hosted this stuff on open source software - it's super secure

      This isn't zero-day attack. Whoever was the sysadmin for the Ubuntu forums didn't apply a security patch. The same thing can happen if you don't patch a Microsoft SQL Server.

  • I log in using SSO. Has my account info been hacked too? If so, that's my main Google account :-(. Time to change some passwords, methinks.

  • Both the recent VerticalScope hack and this have one thing in common: vBulletin. It is a pile of junk, and especially since it was acquired by a firm known as Internet Brands. It is awful software, and a forum about an open source product which uses proprietary components is ethically unsound.
  • If only we had common uses of OpenID, compromising services would have essentially zero material benefit for the perpetrators...

  • by nnull ( 1148259 )
    Years later, we still deal with SQL injections when it was supposed to be "resolved" by now.

The world is no nursery. - Sigmund Freud

Working...