Serious security vulnerabilities in the vBulletin forum software have lead to a massive exploit over several noteworthy sites, including top online games The Secret World and Anarchy Online. More than 27 million user profiles are affected in total.
The VBulletin Issues Exposed Millions of Accounts on a Variety of Sites and Services
Computer criminals have started to target seriously web sites and services that use the Vbulletin forum software. Recent security vulnerabilities have given hackers the ability to expose about 27 million accounts across popular computer games forums and one of the biggest email providers – mail.ru.
A lot of the compromised profiles were linked to some of the games that are part of the mail.ru website. Other targets include the forums of expertlaw.com and gamesforum.com. The cause of the security exploit was running unpatched versions of the forum software that allows malicious users to use SQL injection attacks against the Forumrunner add-on on installations older than versions 4.2.2 and 4.2.3. The vulnerabilities were patched in June. However, the targets have not updated their systems and thus allowed the security breach.
About 12 million passwords from the leaked data were cracked. Users of the email.ru service has their usernames, phone numbers and IP addresses leaked as well. The passwords themselves are stored in storage with a variation of MD5 with or without unique salts. The following domains were compromised:
- expertlaw.com
- ageofconan.com
- anarchy-online.com
- freeadvice.com
- gamesforum.com
- longestjourney.com
- ppcgeeks.com
- thesecretworld.com (EN)
- thesecretworld.com (FR)
- thesecretworld.com (DE)
Mail.ru representatives stated that the leaked passwords are old and no longer valid. In addition all mail.ru group forums and games utilize a secure integrated authorization systems for some time ago which prevents security intrusions from malicious users. Comments from other sources are not yet available.
