Kodi confirmed a data breach in the user forum. The development team was made aware of the hack after it was circulated for sale on the darknet.
The Kodi software, (latest version is the Kodi 20), was not affected by the breach.
Initial investigation into the matter revealed that the attacker compromised an account of an inactive forum administrator, and managed to gain access to the administrator console twice. This happened in mid-February 2023.
The administrator account was used to back up the databases, which the attacker then downloaded.
Kodi disabled the account to prevent future access to its systems once it discovered the breach. It also "carried out an initial review of the team's infrastructure accessed by the team member," reported the incident to UK police and notified the UK Information Commissioner's Office.
Database backups circulating on the darknet “contain all public forum posts, all group forum posts, all messages sent through the user-to-user messaging system, user data such as their name forum, the email address used for notifications and an encrypted (hashed and salted) password generated by the MyBB software (v1.8.27)”.
Forum users should assume that their "Kodi forum credentials and any private data shared with other users through the user-to-user messaging system has been compromised."
Although the passwords are encrypted, Kodi considers them to have been compromised and should be changed.
Kodi announced the following measures to address the breach:
- All exposed email data will be shared with Have I Been Pwned, a website that shows whether an email address has been part of a breach.
- Planning to perform a password reset. This will reset all passwords and prevent further breaches or access to personal data. Kodi forum users should also change their passwords on other services if they used the same one.
- The forum has been upgraded to the latest version and will be offline for a few days. Access to the admin console will be further restricted and strengthened.
Passwords will likely be reset once the forum is back online. Users will be notified by email of the reset and will need to set a new password when they first visit the forum.
