A major data breach on the Ubuntu Forums has not compromised the passwords of its affected users.
In an update to its announcement that an incident had taken place, its developer Canonical Ltd was keen to highlight that this information was not accessed.
However, as Jane Silber, CEO of Canonical Ltd, revealed, usernames, emails addresses and IPs belonging to two million of its users have nevertheless been exposed.
“The attacker had the ability to inject certain formatted SQL to the forums database on the forums database servers,” she explained.
“This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table.”
Ms. Silber said that Canonical’s IS team was alerted to the data breach on July 14th, when a member of the Ubuntu Forums Council informed them that an individual had claimed to have downloaded the forums database.
On immediate investigation it became clear that an incident had taken place, and the forums were quickly taken offline “as precautionary measure”. Full service has since been restored.
Ms. Silber stated: “Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the forums which had not yet been patched.”
Commenting on this, independent security analyst Graham Cluley said: “If you don't patch the software running on your website, don't be surprised if [an attacker] compromises your system and makes off with your customer's data.”
