vBulletin.com / vBulletin.org Hacked

I think that all three losers, Mark B /Paul M and Joe D should be fired. They are all contributing to the downfall of VB and IB. Their attitude towards VB customers is deplorable.

 

Totally unbelievable, the sheer incompetence and ignorance of the VB/IB support staff and management.

I have just done some Google searches and read a small part of the fiasco about them on TAZ and elsewhere.

The twisting and turning to try to play catch up by the VB staff is an abject lesson in failure.

Surely the owners and bean counters of IB can see what is going down?

The lies, propaganda, and unethical practises of some of the support staff are just a total farce, from supposed programmers and coders etc.

I just shake my head at their total incompetence in dealing with anything that involves commonsense or actual thought.


Is Bugs Bunny really running the show over there?

 

*THEIR* SECURITY TEAM DISCOVERED IT???? I thought Joe stated that they did not hide things on VB.org.
Why hide the fact that others DISCOVERED the security risk?

Yup it seems that Bugs Bunny is in fine form.

 

I received two separate emails regarding hack from vB.com

 

So just an example of how screwed up vb is. I follow the link to vBORG, which is on vb 3.something and it changed fine. I follow the link to vbulletin.com, which is on vb 5 and it I mistyped the old pw because it has been so long and it wouldn't let me change it. But get this, it accepted my email change I typed in at the same time, with a bad password! WTF. Then I used the correct one and it kept sending me back to the change your password screen. I clicked on forums and I get the same screen. I click on latest posts or whatever it's called over there and I am in. What a piece of crap that software has become.

 

Interesting. I guess I have to take back a bit of my sarcasm and give IB some credit for doing the right thing.

Some points to consider though, which I saw within 2 minutes of reading the email.

1. The instructions in the email aren't correct. Something was done to make users have to log-in again first. If you click the link in the email, you are met with an empty page. Not even a "You aren't allowed to view this page until you are logged in" message. Just a completely blank page with the header and footer. Terrible UI #1.

2. In one sentence the email says, " involving the illegal access of forum user information, possibly including your password." And in the next sentence it says, "the attackers accessed customer IDs and encrypted passwords on our systems." So, passwords, even though encrypted, were accessed, which mean the "possibly" is totally out of place. Don't do tap dancing, when it comes to security.

3. "do not use the same password you used with us previously". Hmm....maybe a possible new feature for vBulletin? The "we got hacked and now you need to create a new password different from the one you had before check" feature? So users MUST create a totally new password? Sorry, my sarcasm coming out again. But still, jokes aside, any good identity authentication system would actually have that built into it, as a higher level of password security, along with the password aging function, which I believe vB5 actually has. Or does it?

4. When I saved my new password, I was met with the same page again, but empty. No message that my input was saved properly. Just an empty page with all the fields looking like I'd have to fill it out again. Was my info saved or not? Do I really have to log back out and log back in, to test if my input was saved? Terrible UI #2 among many, many more..... (IB, you really need to look at who is in charge of the UI and replace them with someone who knows what they are doing!).

Again, I commend IB for doing what was the right thing to do. Getting hacked, is bad, but it is also part of a life in a computerized world and it can happen. It shouldn't, but it can. How an organisation deals with it is more telling about the organisation than the hack itself.

Scott

 

How they deal with it on day one is more telling. How they deal with it many days later after much denial is revealing.

 

All I can say is Internet Brands got somewhat lucky on this one. They don't have to deal with the new California Data Breach Law SB 46.

I haven't been paying too much attention to this data breach, but as soon as I finish my research homework, I'll post more details on what we can put together on my firm's blog.

 

Did the deny the hack? I wasn't aware of that. I believe Paul admitted directly that test servers were compromised, when approached with the issue. And considering the "notice of infiltration" email was released 2-3 days after the hack was accomplished, you'd have to admit that is even lightening speed for IB. It could have been faster, yes. But let's some give credit where credit is due.

What interests me more is what will be done to make sure this doesn't happen again.

Scott

 

And so it continued in a similar vein.

 

Since I own my own cybersecurity consulting firm, I want to point out that DEFENSE is hard. Responding to a security incident is equally as hard, if not harder.

Releasing information too soon is detrimental. - You have customers demanding update pretty quickly, including scope.

Releasing information too late is also detrimental. - You have customers mad at you for not releasing it soon enough.


The toughest part is the investigation phase, to identify the scope of the breach, and what assets were potentially taken.

 

I can't seem to be able to change my password on the site. Oh well might try it again next week.

 

I'm being prompted for server logins all over vB.org - screenshot in the post below:

http://www.vbulletin.org/forum/showpost.php?p=2461405&postcount=91

Not putting my login info there until I know this isn't a phishing scam. I've PM'd Ozzy, who has always been really friendly & helpful. Hopefully we can figure out what's going on!

 

Did anyone stop to wonder how it is that by clicking on that link in a generic email you are taken to a page that allows you to change your password without first logging into your account there? How do you know you are changing your accounts password??? Given that the hackers now have all customers pertinent information from vBOOM's database could this email have come from the hackers and not vBOOM???? inquiring minds want to know............

 

I still haven't gotten an email from vbulletin...

Ha, that may be true Brent but you are featured in the TAZ newsletter I just got a couple seconds ago. Avatar and everything

​

 

Not a surprise, the guy that runs TAZ is such a raging douche bag it's unreal.

 

This clarifies a bit:

 

It doesn't exactly bode well that we (and they) are just now finding out about a hack from the summer. Never good news when your hackers are the ones to alert you of your site being hacked (over social media no less)... Yeesh.