vBulletin password hack fuels fears of serious Internet-wide 0-day attacks

Enlarge (credit: Coldzer0)

Developers of the vBulletin software package for website forums released a security patch Monday night, just hours after reports surfaced that a hack on the developers' site leaked password data and other sensitive information belonging to almost 480,000 subscribers.

vBulletin officials have put in place a mandatory password reset for all users after discovering it was subjected to a hack attack. They went on to warn that the attacker "may have accessed customer IDs and encrypted passwords on our system." A separate post on the vBulletin site makes reference to a security patch for versions 5.1.4 through 5.1.9 of the vBulletin Connect software package.

Noticeably missing from either link is an explicit warning that there is a critical vulnerability in vBulletin that has already been actively exploited and puts thousands of sites at risk until they install the patch. Ars asked vBulletin officials to clarify the reports and to confirm or disconfirm the speculation they have generated, but so far the request has gone unanswered. This post contains inferences and information from alternative sources that has yet to be explicitly confirmed.

Read 4 remaining paragraphs | Comments