Canonical, the developer of the Ubuntu operating system, said Friday in a statement that two million user names, email addresses, and IP addresses associated with Ubuntu Forums were hijacked by an anonymous intruder.
The attacker was able to exploit a vulnerability by executing SQL injection in an add-on that usesis one of the largest vBulletin forum software.
This gave the attacker access to the bases data forum, but according to the company managed to obtain limited user data.
The company statement highlights that there is no operating system code or data from application repositories, It also states that the attacker could not write data to the database or access shell, that he did not manage to gain access to any other service Canonical or Ubuntu.
After the breach, the servers were formatted, a new operating system was installed, new measures security, young people passwords and according to the company the forum software has been fully patched.
The statement added that although the forums use Ubuntu's single sign-on service, the passwords are hashed and salted. The statement does not indicate which hash algorithm has been used as some algorithms that are still in use (like MD5) are outdated and can break quite easily.
It's a good idea to change your passwords immediately and enable two-factor authentication.
