Cyber Incident Victim: Ubuntu Forums
Date:
Jul 2016
Location:
United Kingdom
Summary
A security breach on Ubuntu Forums occurred due to an unpatched SQL injection vulnerability in the Forumrunner add-on, allowing unauthorized database access. The attacker extracted portions of the user table containing usernames, email addresses, and IPs for approximately 2 million accounts, though no active passwords were compromised as the platform relied on Ubuntu Single Sign-On with stored random hashed and salted strings. The intrusion was limited to read-only SQL access on the forums database servers, with no evidence of escalation to shell access, front-end servers, code repositories, or other Canonical services. In response, the organization took the forums offline, rebuilt servers from scratch, updated software to the latest patch level, reset credentials, implemented a web application firewall, and enhanced monitoring protocols to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 14, 2016, at 20:33 UTC, Canonical's Information Security team received notification from a member of the Ubuntu Forums Council regarding an individual claiming possession of the Forums database. Immediate investigation confirmed unauthorized data exposure, prompting the precautionary shutdown of Ubuntu Forums. Forensic analysis identified the attack vector as a known SQL injection vulnerability in the Forumrunner add-on, which had not been patched prior to the breach. The attacker exploited this vulnerability to execute formatted SQL injections against the Forums database servers, gaining read access to database tables. Evidence indicated the attacker specifically targeted and extracted data from the 'user' table, which contained usernames, email addresses, and IP addresses belonging to approximately two million forum users. While the table included password fields, these contained random hashed and salted strings rather than actual credentials, as the forums relied on Ubuntu Single Sign-On for authentication. No functional passwords were compromised through this exposure. The attacker's access was limited to SQL read operations on the Forums database servers, with no evidence of data modification or broader system infiltration.
Canonical's investigation confirmed several critical limitations to the attacker's access: no penetration occurred into Ubuntu code repositories, update mechanisms, front-end servers, or other Canonical services. The compromise did not extend beyond SQL read operations on the database servers, with no evidence of shell access, remote SQL write capabilities, or privilege escalation. In response, Canonical executed immediate containment measures including complete server backups followed by full system wipes and reconstructions from clean bases. All affected systems received vBulletin software updates to the latest patched versions, along with comprehensive password resets for both system and database accounts. Post-incident hardening included deployment of ModSecurity as a web application firewall and enhanced monitoring protocols to accelerate future security patch implementations. Service restoration occurred after these corrective actions, with Canonical issuing public confirmation on July 19, 2016, that user passwords remained uncompromised throughout the incident.