Ubuntu Forums hacked

glistwan · July 19, 2016, 10:41am

If you have an account there make sure to change your password :

http://www.zdnet.com/article/ubuntu-forums-hack-exposes-two-million-users/

knurpht · July 19, 2016, 11:33am

Oi, that’s a mess. Happy to have been so smart to use unique passwords.

kgroneman · July 19, 2016, 3:51pm

I’m glad we’re able to provide a lot more user security in these forums. Ubuntu uses vBulletin just like we do. They chose to use the vBulletin native login/security which keeps user information “secure” in the forum database. We chose to use a Micro Focus product that secures user information outside of the forum application. When someone logs in here, it takes the login information back to our directory, authenticates the user outside of the system, then returns the authenticated user back to the application. The only thing exchanged between the application and the directory is the user ID and email address. Passwords are never stored, nor even used in the vBulletin application.

We’ve had similar hacking attempts on these forums, but they’ve always failed because there is no passwords stored for anyone to retrieve.

That said, we know email addresses are stored in our database and we want to make sure those are not compromised either so we’ve done what we can to harden the system to protect against such attacks. I won’t go into what those protection measures are as I don’t want to give someone ideas of what to attack, but we are making our very best effort at keeping our member’s data safe.

Our system does make it a little more difficult to change email address and passwords (see our forum FAQ) but that’s a small price to pay for the security we have in place.

hcvv · July 19, 2016, 5:50pm

Thank you for this extensive explanation. I hope it will convince our members that the technical staff does all it can to make our forums secure.

glistwan · July 19, 2016, 11:01pm

I never doubted this. Thank you for the hard work of all the people involved

brunomcl · July 21, 2016, 5:54am

kgroneman:

I’m glad we’re able to provide a lot more user security in these forums. Ubuntu uses vBulletin just like we do. They chose to use the vBulletin native login/security which keeps user information “secure” in the forum database. We chose to use a Micro Focus product that secures user information outside of the forum application. When someone logs in here, it takes the login information back to our directory, authenticates the user outside of the system, then returns the authenticated user back to the application. The only thing exchanged between the application and the directory is the user ID and email address. Passwords are never stored, nor even used in the vBulletin application.

We’ve had similar hacking attempts on these forums, but they’ve always failed because there is no passwords stored for anyone to retrieve.

That said, we know email addresses are stored in our database and we want to make sure those are not compromised either so we’ve done what we can to harden the system to protect against such attacks. I won’t go into what those protection measures are as I don’t want to give someone ideas of what to attack, but we are making our very best effort at keeping our member’s data safe.

Our system does make it a little more difficult to change email address and passwords (see our forum FAQ) but that’s a small price to pay for the security we have in place.

Many thanks! You guys deserve a golden star, really!

deano_ferrari · July 21, 2016, 8:36am

Well, some of us are famous already

kgroneman · July 22, 2016, 4:48pm

Awww. Shucks. I can’t take all the credit however. Our IT team here at SUSE/Micro Focus is pretty good. Having a section of Micro Focus being dedicated to security products is a plus.