View Single Post
Old 08-21-2011, 03:35 PM   #1
Mostly dormant
stoffe's Avatar
Status: Administrator
Join Date: Apr 2002
Posts: 5,850
Helpful!  10 year veteran!  Notable contributor 
LF security breach

It came to our attention a couple of days ago when some friendly neighborhood hacker paid a visit with a stolen supermod account, that Lucasforums had a security breach that resulted in at least parts of its usernames and passwords being downloaded, including the login/password of a few staff members.

As far as I've been able to determine this breach seems to have happened over 3 years ago, before the forum was upgraded, though at least some of the account information stolen at the time is still valid.

From what I've been able to determine after a couple of days of frantic searching and code reading the SQL injection security vulnerability exploited to do this is no longer present in the version of vBulletin we currently use. I've also taken a few extra security precautions just in case.

The Blog feature has been disabled until I've had the time to check it thoroughly for vulnerabilities as well. No time table on how long that will take, but from what I've seen it wasn't used that much anyway, so it's pretty low priority at this point.

So, if you haven't changed your password in a while, now would probably be a good time to do it, just to be safe.

Apologies for the downtime over the past few days, but I felt it was better to play it safe and take the forum offline until this could be more thoroughly investigated and remedied.
stoffe is offline   you may: quote & reply,