https://insights.ubuntu.com/2016/07/15/notice-of-security-breach-on-ubuntu-forums/ Also: https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Forums-Breached
Twice, actually: http://www.theregister.co.uk/2013/07/21/ubuntu_forums_breached_18_passwords_pinched/
It's not a great idea to use emails that you actually use for registering accounts. This is minor compared to the Mint hack which replaced links to iso's with their own and they were inside Mint for at least a month, after ignoring someone who told them they were hacked, then claimed to have fixed the issue before shutting down everything for weeks when they found they didn't fix it. The Mint hacker DID have actual forum passwords. "No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted)."
source ...as long as they hashed and salted the passwords correctly, there should be no password breach. EDIT I just see now @AutoCascade makes reference to this.
The patch to that vulnerability has long been released, but no one at Ubuntu Forums bothered to install it. The admins of that forum should be fired and they should never get a similar job in the future. These stupid morons did not have the basic sense of security while they have millions of personal login info in their hands. Is it that hard to have their software up to date?
Not really, if the Forums are well created then the admins only need to press a button. I know this because I'm the admin of a IPB forum. One click and you're done Ah, come on... everybody makes mistakes. I'm sure this will be a very valuable lesson to those people (and also to the people that say Ubuntu does security "the right way" -which it does not, but that's not the point of this thread). That shouldn't be a reason to be in some sort of ITblacklist IMO.
It's a bit more complicated than that. From what I understand, the admins, who are non-paid volunteers, don't have control over what is updated and when. That is done by Canonical itself.
You would think in light of Mint's issues (which Mint has completely fixed) that Canonical would have paid attention.
No, when I said the "admins of Ubuntu Forums" I did not mean the IDs listed in each forum, in other words, the moderators there. I meant to say the staff who are in charge of maintaining the servers of the Ubuntu Forums, as well as the forum software. These people are the stupid morons who should be banned from such posts in the future.
No, they are not making a mistake, they are just too lazy to click and update button. Such behavior reflected their lack of responsibility, and lack of professional work attitude. Such kind of mistakes is very different from the type of mistakes people could make when they actually actively tried to make the forums safer.
LOL, not really, I am still going to use Ubuntu. After all, it's not a reflection of the OS's problem. It's a problem of the forum software.
That's probably a good decision. I have no reservations whatsoever about using anything Ubuntu-based, these days using LXLE.
I use Ubuntu for mass deployment and work due to its ease of install, out of box Apparmor thats easy to customize and also quick security patches on time. No issues there but Ubuntu web site needs to go HTTPS ASAP!