vBulletin forumware powering site is known as a sieve
The latest forum to leak, Disney’s Playdom, was running the vBulletin forumware already known to have leaked big back in June.
On Friday, Disney announced it had taken the forum offline after discovering someone had accessed usernames, passwords, e-mail addresses, and logged IP addresses for playdomforums.com accounts. Its oops-we’re-so–sorry-statement includes the usual useless assurance that no credit card data was held on the site.
At the time of writing, the site remained offline. Disney hasn’t stated how many accounts were leaked in the attack, nor has it explained why passwords were held in an accessible format.
Disney hasn’t stated how many accounts were breached, but GameInformer says the forums had around 391,000 members.
Troy Hunt noted the connection to vBulletin over the weekend:
In news that should surprise absolutely nobody, Disney’s hacked forum software was running on vBulletin https://t.co/s6Uw4xXyl0
— Troy Hunt (@troyhunt) July 30, 2016
This is supported by a forum post dated 2010.
The popular CMS was used by Verticalscope in a June 2016 breach that leaked around 45 million sets of credentials.
In 2014, vBulletin user OpenSUSE leaked e-mails but not passwords; vBulletin’s own forums were hit in November 2015. ®
Sponsored: Global DDoS threat landscape report