vBulletin released a security patch on 2 November for version 5.1.4 through 5.1.9 of its forum software, just hours after reports emerged that its website had been hacked, Ars Technica reported.
Passwords and other sensitive information for almost 480,000 subscribers may have been leaked.
vBulletin has instituted a mandatory password reset for its users, warning them that the attacker may have accessed customer IDs and encrypted passwords.
The report noted that what was not mentioned is that there may be a critical security vulnerability in vBulletin’s forum software.
It is speculated that the attacker used a 0-day vulnerability that is over 3 years old to get into vBulletin’s system and access the personal information of 479,895 users.
A Twitter user who goes by @_cutz posted an analysis of such a vulnerability. Specifically, a remote code execution exploit.
Ars Technica highlighted that two years ago there was a similar breach at vBulletin, which the company said was not as a result of a 0-day flaw, but due to an insecure system used for testing vBulletin mobile applications.