It would appear that, on the day of July 14, 2016, the Ubuntu Forums were compromised by someone who managed to get past the security measures implemented by Canonical and access the forum’s database.
Canonical was immediately notified of the fact that someone claimed to have a copy of the Ubuntu Forums database. After some investigation, it appears that the forum’s database was indeed attacked at 20:33 UTC on July 14, 2016, by someone who injected certain formatted SQL to the database servers on the Ubuntu Forums.
“Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched,” said Jane Silber, Canonical CEO. “This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table.”
Canonical reports that the attacker managed to download parts of the “user” table that contained IP addresses, email addresses, and usernames of over 2 million registered users. However, the attacker couldn’t access active passwords of the users as they are stored as random strings thanks to the Ubuntu Single Sign On (SSO) technology.
The random strings were downloaded as well
Furthermore, Canonical reports that the attacker also downloaded the respective random strings, which, fortunately, were salted and hashed. The company assures users that the attacker didn’t manage to access the Ubuntu code repository, the update mechanism, any valid user passwords, or gain remote SQL write access to the database.
Additionally, the attacker did not gain shell access on any of the database servers for Ubuntu Forums app, the front-end servers, or any other Ubuntu or Canonical services. To prevent certain breaches in the future, Canonical installed ModSecurity on the forums, a Web Application Firewall, and improved the monitoring of vBulletin.