Hacker Coldroot claims responsibility for the attack

Nov 2, 2015 10:11 GMT  ·  By

It appears that a zero-day vulnerability in the vBulletin forum package allowed an Egyptian hacker to breach the official vBulletin website and the forums of Foxit Software, which was using vBulletin for its forum section.

The hacker is Mohamed Osama who, as soon as he pulled off the attack, started bragging to @Cyber_War_News on Twitter.

Osama, who also goes by the nickname of Coldroot, went on so far to create a YouTube video of him while hacking vBulletin.com, posting photos on his Facebook profile, and even send images to @Cyber_War_News of the data he acquired in the hack. His YouTube and Facebook posts were eventually deleted.

Egyptian hacker Coldroot claims responsibility

Osama's LinkedIn profile reveals he's a Senior Programmer at Orbit Shield in Dubai, and ironically lists "Cracking" and "Ethical Hacking" as some of his skills.

According to visual evidence that @Cyber_War_News acquired, the hacker managed to break into vBulletin's infrastructure, upload a shell and exfiltrate the company's customer database.

A sample of the database that @Cyber_War_News received confirms that the data contained user IDs, names, email addresses, security questions, their answers, and password salts.

Despite the hacker claiming his intrusion went unnoticed, the breach was detected and discussed by the company towards the end of the past week. At one point, the vBulletin website was put offline for maintenance and continues to be down at the time of this article.

Before going offline, vBulletin's forum stats page listed around 345,000 users. We have contacted the company for a statement.

Foxit Software also hacked, with the same vBulletin exploit

But the bad news doesn't end here. According to the same @Cyber_War_News, after breaching the vBulletin.com website, Coldroot then moved on to the forums of Foxit Software, a company specialized in producing desktop applications.

Foxit was running vBulletin's forum package, and the hacker said he used the same zero-day bug to breach their database, stealing data for around 260,000 customer accounts. Foxit Software forum's statistics section lists over 535,000 accounts.

The hacker claims that the entire Foxit hack took him only two days. We have also reached out to Foxit Software for comment. We will update this article as soon as new information becomes available.

UPDATE 1: vBulletin acknowledged the hack and has issued a site-wide password reset.

UPDATE 2: Foxit Software has issued the following statement following Softpedia's inquiry:

"The security of our users’ accounts is paramount at Foxit. Recently, Foxit was the victim of an attack on our forum using a previously unknown vBulletin vulnerability. This vulnerability has been repaired. As part of the breach, data including usernames, email addresses and encrypted passwords was taken. While we do not believe that anyone will be able to determine our users’ password, for security purposes, we recommend our forum users to change the password on our forum and anywhere else it may have been used. The security alert has been posted on http://forums.foxitsoftware.com/ and will be sent to all our forum users soon. We at Foxit value all our users, and will continue to remain vigilant and improve our ability to detect and prevent attacks. Thank you."

The hacker bragging on his Facebook page
The hacker bragging on his Facebook page

vBulletin data breach evidence (5 Images)

Data the hacker stole from vBulletin
Sample data, stolen from the vBulletin serversThe shell the hacker used breach the vBulletin servers
+2more