So, Got Hacked

Not open for further replies.

Alteran Ancient

Well-known member
First Ubuntu Forums. Then MacRumors. Now I bring this up, because naturally, a good number of members here will have been members or customer of vBulletin at some point. If you are one of those people, go and get your passwords changed. You should be doing that anyway, regardless of whether sites are being hacked or not!

So, it seems breaking into forums and other data-rich systems is becoming a thing - specifically to obtain user data such as email addresses and password hashes. In the case of Ubuntu and MacRumors, the weak point would have been a compromised Moderator account, or someone with the ability to post raw HTML.

Now, XenForo was built from the ground-up with security in mind. That said, you cannot afford to be complacent. With a default set-up, your members and moderators have no ability to post any HTML - just BB Code. vBulletin had the HTML-enabled Announcements feature and in previous security breaches, was used as a method to obtain an Administrator's cookie and gain access. XenForo does not have this problem.

Another plus for XenForo - plugins code is loaded from the library directory on the server's file system. Obtaining access to the Admin CP still limits how much access a hacker has to your system and by extension, its Databases.

Seeing these kind of announcements is quite worrying. I'm going to assume that you don't want the same to happen to your own forum, which is why ensuring security is necessary. To save you the run-around and panic, I've given you a list of various things you can do to improve the security of your forum and infrastructure...

Server Security
  • Disable external logins to your 'root' account. They can't break in if they don't know your username!
  • Install denyhosts or fail2ban on your server to prevent brute-force attempts.
  • Employ the use of two-factor authentication (Duo Security, or Google Authenticator).
  • Route your site through CloudFlare to make your server IP harder to find.
  • Ensure that Apache/Nginx/PHP and other web services run on a non-root user, so that any uploads may not compromise your entire server.
  • Make sure that MySQL can only be accessed by localhost - maintenance can be done via SSH tunnel or phpMyAdmin
Forum Security
  • Give your administrators only what they absolutely need - nothing more. Limit the management of plugins and templates only to those who absolutely need it. The more administrative accounts you can make useless to a hacker, the better.
  • Give your moderators only what they need. There is far less opportunity for abuse here, but regardless, do check what your moderators can access.
  • Demote the accounts of any inactive staff. The more stray elevated accounts hanging around, the more opportunity for a hacker to get in if any of them were using a weak password or had their email compromised.
  • Put some kind of policy in place for your staff to change their passwords on a regular basis. It's annoying, but is a fairly common-sense security practice and means if an old password gets nabbed by a hacker, it won't be a problem.
  • If you want to get really technical, you could implement two-factor authentication for your forum accounts. Personally, I'd only want to implement this for moderators. Giving your users access to this would probably just complicate things!

Maybe this is making a bit of a mountain out of a molehill, but at least by wasting your time with this thread, maybe I made you think or gave you some sensible ideas.


Well-known member
It didn't get hacked. @Paul M has stated that multiple times. An old QA server is what got hacked.

But this will be my only post on the matter.

Alteran Ancient

Well-known member
It didn't get hacked. @Paul M has stated that multiple times. An old QA server is what got hacked.

But this will be my only post on the matter.
Whether the live itself was hacked, or if it was something else, the emails advising us to change our passwords is an embarrassing admission to playing loose with customer data. It shouldn't have happened. If you want to be pedantic, an asset of vBulletin Solutions "got hacked".

And if you have a spare $7000usd you can buy the exploit here
Probably not a good idea to link to that on here.

Brandon Sheley

Well-known member
It didn't get hacked. @Paul M has stated that multiple times. An old QA server is what got hacked.
It might as well have been
In a vbulletin newsletter IB stated that customer info could have been compromised.
Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems.
I had asked Paul M if it was on the same servers as but I've yet to see confirmation.

Also I'm sure this thread will be closed soon. I doubt xf really cares about what happens to vb, neither should we. ;)


XenForo moderator
Staff member
Several threads related to this have already been closed/deleted.

I will close this one so everyone is in no doubt that threads on this subject are better suited elsewhere.

If it was a general discussion on security and exploits that would be fine, but the vB bashing has already started and on previous form that will just continue.
Not open for further replies.