Reply to thread

Not long ago I had contact with Troy Hunt of https://haveibeenpwned.com about the mass of account databases that have been breached lately. Especially vbulletin forums. Troy can hardly keep up with the amount of databases that are available on the net. Here are the latest breaches: https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches


There now are billions of account name & passwords combinations that hackers have access to. All they need to do is to query xenforo to see which of these exist on a site. Which can currently be done without limit. Then half of the work is done and the related passwords for those accounts can be tried with 4 attempts, but they only need one try per account to see if the password matches.


I think it would be a good move if xenforo would treat this partial vulnerability as an important issue.


Back
Top Bottom