Canonical, which develops the Ubuntu operating system, said in a statement today that two millions usernames, email addresses and IP addresses connected to the Ubuntu Forums were intercepted by an anonymous attacker.
The attacker was able to exploit a vulnerability by executing SQL injection in an add-on used by the larger vBulletin forum software.
This gave the attacker access to the fundamentals forum data, but according to the company managed to obtain limited user data.
The company statement highlights that there is no operating system code or data from application repositories, It also states that the attacker could not write data to the database or access shell, that he did not manage to gain access to any other service Canonical or Ubuntu.
After the breach, the servers were formatted, a new operating system was installed, new security measures, new ones passwords and according to the company the forum software has been fully patched.
The statement added that although the forums use Ubuntu's single sign-on service, the passwords are hashed and salted. The statement does not indicate which hash algorithm has been used as some algorithms that are still in use (like MD5) are outdated and can break quite easily.
It's a good idea to change your passwords immediately and enable two-factor authentication.
