vBulletin released a security patch on 2 November for version 5.1.4 through 5.1.9 of its forum software, just hours after reports emerged that its website had been hacked, Ars Technica reported.
Passwords and other sensitive information for almost 480,000 subscribers may have been leaked.
vBulletin has instituted a mandatory password reset for its users, warning them that the attacker may have accessed customer IDs and encrypted passwords.
The report noted that what was not mentioned is that there may be a critical security vulnerability in vBulletin’s forum software.
It is speculated that the attacker used a 0-day vulnerability that is over 3 years old to get into vBulletin’s system and access the personal information of 479,895 users.
A Twitter user who goes by @_cutz posted an analysis of such a vulnerability. Specifically, a remote code execution exploit.
Ars Technica highlighted that two years ago there was a similar breach at vBulletin, which the company said was not as a result of a 0-day flaw, but due to an insecure system used for testing vBulletin mobile applications.
More vBulletin and security news
Your private information and SA’s mobile operators
SA State Security threatens to spy on WhatsApp and email: report
WordPress brute force amplification attack warning
Join the conversation Autoload comments
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.