Cyber Incident Victim: MrExcel.com
Date:
Dec 2016
Location:
United States of America
Summary
A hack targeting an online forum was detected by moderators, leading to immediate shutdown and restoration from backups. Attackers accessed user IDs, email addresses, encrypted passwords stored as hash+salt combinations, and administrative metadata including last login timestamps and post counts. Compromised credentials were later found posted online, enabling potential password-cracking attempts. The organization responded by removing malicious code, applying software patches to address vulnerabilities in the platform, and transitioning to secure communication protocols. Affected users were mandated to reset passwords and advised to update credentials across other accounts sharing identical authentication details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 6, 2016, moderators at MrExcel.com detected a live hacking attempt targeting the platform’s vBulletin-based forum. The attack was interrupted through immediate shutdown of the forum, removal of the attacker’s account, and restoration of the system using a backup from December 5, 2016. Initial assessments indicated no evidence of user data compromise during this response phase. Approximately one month later, on January 8, 2017, forensic evidence revealed that the December 5 intrusion had in fact resulted in unauthorized access to user records, which were subsequently posted online. The breach notification was formally issued by site administrator Bill Jelen on January 14, 2017, confirming the incident’s scope and initiating user communications. Technical investigations confirmed the attacker exploited unpatched vulnerabilities in the vBulletin software, though no malicious code remained after the restoration.
Compromised data included user IDs, email addresses, and passwords stored as cryptographic hashes with salt—a security measure that nevertheless allowed determined attackers to potentially crack passwords at estimated rates of one billion attempts per hour with 25% success probability. Administrative metadata such as last login timestamps and post counts was also accessed, though this contained no directly identifiable personal information. All forum accounts active before December 6, 2016, were confirmed as affected, while separate e-commerce systems for MrExcel’s store remained uncompromised. Remediation included mandatory password resets for all users, implementation of SSL encryption, and ongoing software patching. The organization directed impacted individuals to third-party breach notification services like LeakedSource.com for verification and advised password diversification across other accounts sharing credentials with MrExcel.com. User support addressed concerns regarding birthdate data retention limitations and phishing verification through official social media channels.