An Ubuntu Forums Council member notified Canonical’s Information Security team that someone was claiming to have a copy of the forums’ database. The team investigated the issue and found that a breach occurred through an SQL injection vulnerability in a forums add-on that the company had not patched yet.
Canonical said the attackers had the ability to read any table in the database, but the company believes they only read from the “user” table, which means the attackers shouldn’t have access to forums accounts with higher privileges.
However, they were able to download the information of more than two million users, including their usernames, emails, and IPs. The attackers couldn't access the passwords because Canonical only stored random strings in their place, which is a result of hashing and salting the passwords.
The company also believes the attackers were only able to get read-only access to the database, so they were not able to change anything or write new code into Canonical’s server software, but they could download the database information.
Canonical also said that the attackers were not able to access the Ubuntu code repository or the company's update mechanisms, which would’ve put Ubuntu OS users at risk of being hacked or infected with malware.
The company also believes that the attackers weren’t able to gain access to any other Canonical or Ubuntu services.
To fix the situation, Canonical backed up its servers and then used a clean version of the vBulletin forums software with the latest security patch to restore the Ubuntu Forums. Although the company said it doesn’t think the attackers gained system-level access, it reset all of the system and database passwords.
Canonical also said that it will apply the vBulletin patches more promptly from now on to avoid giving attackers a big window to attack its forums again. It also installed ModSecurity, a web application firewall, to prevent similar attacks in the future.
Attackers previously hacked the Ubuntu Forums in 2013 due to a compromised moderator account and the default security settings of that account, which allowed the use of unfiltered HTML.