Ubuntu Forums Get Breached, 2 Million Users/Emails/IPs

Discussion in 'all things UNIX' started by amarildojr, Jul 15, 2016.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Haha... so it happens to Ubuntu eh? Amazing.... :)
     
  3. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    ****, my email and password must have been leaked
     
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    My condolences to all of you who will now receive dozens of SPAM e-Mail thanks to this :thumb:
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    It's not a great idea to use emails that you actually use for registering accounts.

    This is minor compared to the Mint hack which replaced links to iso's with their own and they were inside Mint for at least a month, after ignoring someone who told them they were hacked, then claimed to have fixed the issue before shutting down everything for weeks when they found they didn't fix it. The Mint hacker DID have actual forum passwords.

    "No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted)."
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    source

    ...as long as they hashed and salted the passwords correctly, there should be no password breach.

    EDIT

    I just see now @AutoCascade makes reference to this.
     
  8. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
  9. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    The patch to that vulnerability has long been released, but no one at Ubuntu Forums bothered to install it.
    The admins of that forum should be fired and they should never get a similar job in the future. These stupid morons did not have the basic sense of security while they have millions of personal login info in their hands. Is it that hard to have their software up to date?
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Does this mean you are going to stop using Ubuntu :D
     
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    Not really, if the Forums are well created then the admins only need to press a button. I know this because I'm the admin of a IPB forum. One click and you're done :D

    Ah, come on... everybody makes mistakes. I'm sure this will be a very valuable lesson to those people (and also to the people that say Ubuntu does security "the right way" -which it does not, but that's not the point of this thread). That shouldn't be a reason to be in some sort of ITblacklist IMO.
     
  12. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    'Storm in a teacup' if you ask me.
     
  13. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    It's a bit more complicated than that. From what I understand, the admins, who are non-paid volunteers, don't have control over what is updated and when. That is done by Canonical itself.
     
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Interesting.....
     
  15. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    You would think in light of Mint's issues (which Mint has completely fixed) that Canonical would have paid attention.
     
  16. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    No, when I said the "admins of Ubuntu Forums" I did not mean the IDs listed in each forum, in other words, the moderators there. I meant to say the staff who are in charge of maintaining the servers of the Ubuntu Forums, as well as the forum software. These people are the stupid morons who should be banned from such posts in the future.
     
  17. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    No, they are not making a mistake, they are just too lazy to click and update button. Such behavior reflected their lack of responsibility, and lack of professional work attitude. Such kind of mistakes is very different from the type of mistakes people could make when they actually actively tried to make the forums safer.
     
  18. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    LOL, not really, I am still going to use Ubuntu. After all, it's not a reflection of the OS's problem. It's a problem of the forum software.
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    That's probably a good decision. I have no reservations whatsoever about using anything Ubuntu-based, these days using LXLE.
     
    Last edited: Jul 17, 2016
  20. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    I use Ubuntu for mass deployment and work due to its ease of install, out of box Apparmor thats easy to customize and also quick security patches on time. No issues there but Ubuntu web site needs to go HTTPS ASAP!
     
Loading...