Canonical publicly declared that it was victim to a data breach. It told members that the hack compromised personal data. Canonical is the developer of the open source operating system, Ubuntu.
According to a report published by Canonical CEO, Jane Silber, the hackers accessed the forums database on 14th July. After the breach, canonical temporarily froze their servers prevent further attack. Silber confirmed that the attackers did not access plain text passwords. However, the breach may have allowed the hackers to download email addresses, usernames, and IP addresses. The only passwords the intruders may have downloaded would appear as salted and hashed random strings used in Single Sign-on.
Canonical uses vBulletin software to run the forums. The software has vulnerabilities, explaining why the forums database breached. Informing users about the breach shows is admirable and bold. However, using software with known SQL vulnerabilities is a show of carelessness. Keeping the website updated would have prevented the breach.
The vBulletin software was responsible for a similar attack a few weeks ago. In June, a Canadian media company, VerticalScope, was breached. This breach compromised usernames, emails, passwords and IP addresses of over 45 million users in 1100 different forums.
Fortunately, Canonical has since cleaned up the mess. The company reset all passwords after wiping and rebuilding their servers. They also upgraded to the latest release of vBulletin software. Also, Canonical installed a Web Application Firewall to discourage future attacks.
This attack is one of many cyber-attacks we have heard this year. In the past few months, there have been a series of attacks on the main sites including LinkedIn and Twitter. Authorities recently discovered 117 million LinkedIn users’ login information in the Dark Web. These types of attacks are common these days. Keeping track of such news is hard. For this reason, top security researchers have come up with applications that check whether your email is part of any data breach. HaveIBeenPwned is one such app.