Ubuntu Forums Hacked, Attackers Get Away With Names, Emails And Salted Passwords

Image: Canonical

Yesterday, Ubuntu custodian Canonical made users aware that its official forums had been breached via SQL injection. While usernames, email addresses and salted passwords were nabbed in the attack, Canonical is confident hackers did not get access to any core Ubuntu services.

Ubuntu was quick to inform users of the breach — which occurred on July 14 — with the news posted a day after the event.

Although the company has taken restorative and preventative measures, including rebuilding its forum servers "from the ground up" and resetting "all system and database passwords", there's no escaping the fact the breach leaked important user data:

The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the 'user' table.   They used this access to download portions of the 'user' table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted).

Even with passwords given the cryptographic one-two, it's still advisable that you change your login as soon as possible. As for the stolen emails, well, time to keep an eye on your inbox.

Notice of security breach on Ubuntu Forums [Ubuntu, via gHacks]


Comments

    So, who do we believe?

    Logan writes:
    While usernames, email addresses and salted passwords were nabbed in the attack, Canonical is confident hackers did not get access to any core Ubuntu services.

    Ubuntu Writes:
    They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins.

    Ubuntu SSO are not passwords. They are tokens.

      Well, that would be Canonical, wouldn't it?

      the passwords stored in this table were random strings

      They're certainly not usable, of course, but it's password data nonetheless. I'm not sure why you're confused about this?

        but it's password data nonetheless

        It's not, it's openid access token data. Random strings that were part of Single Sign On. This is in their statement.

        Part of your assumption is you only read the small few words

        the passwords stored in this table were random strings

        and not the full sentence

        No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins.

        and understanding just what "Ubuntu Single Sign On" is. To elucidate on that it's detailed in https://help.ubuntu.com/community/SSO

        I'm not sure why you're confused about this?

        Because YOU claim salted passwords were stolen where Ubuntu's own statement there suggests they are not.

        Going further into this their full statement is at: http://insights.ubuntu.com/2016/07/15/notice- of-security-breach-on-ubuntu-forums/ where they state in black and white

        We know the attacker was NOT able to gain access to valid user passwords.

        Salted passwords, are by nature, still valid passwords that can be de-salted and run against a rainbow table or any other form of cracking tool.

        In this case the attackers only got the access token, which if Ubuntu invalidate means no access to any of their other systems that use SSO.

    Looking further into this suggests that those are not even tokens, just random strings.

    https://ubuntuforums.org/showthread.php?t=2330842 post 5.

    If I read that post correctly it seems when Ubuntu moved to SSO for vBulletin they had no need for the user.password field any more so went through and just randomised all the data in that field. Random strings in the password field with OpenID doing the login.

    No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins.

Join the discussion!

Trending Stories Right Now