The online forum was the only piece of infrastructure compromised, the company say. No other Ubuntu website, repository or update mechanism is known to have been affected.
“Known SQL Injection Vulnerability to blame”
Canonical CEO Jane Silber explains: “We were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.”
The attacker was able to “download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users.”
But Canonical stress that “the attacker was NOT able to gain access to valid user passwords.”
“We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation,” Canonical CEO Jane Silber writes in a blog post.
While the forums were offline Canonical cleaned and rebuilt the servers used to run the vBulletin forum software and reset all system and database passwords.
They have also installed a new Web Application Firewall “to help prevent similar attacks in the future” and say they will improve monitoring of vBulletin to “ensure that security patches are applied promptly.”
And if any of that sounds a little familiar it’s because you heard the same thing the last time the forums were hacked, way back in 2013.
What This Means For You
In short, don’t panic. Canonical assures us that “no active passwords were accessed” and that all passwords stored in this table were random strings as the forum makes use of Ubuntu Single Sign On for logins.
While these random strings were downloaded by the attacker — yikes! — they were hashed and salted.
More concerning are those 2 million email addresses that the attacker has acquired. Stay extra vigilant when getting emails from unknown companies or services, keep an eye on any uptick in spam, and pay doubly close attention to any email purporting to be from the Ubuntu Forums or similar — it could be a phishing attempt.