Cyber Incident Victim: Foxit Software
Date:
Oct 2015
Location:
United States of America
Summary
A threat actor using the alias Coldzer0, identified as Mohamed Osama, exploited a zero-day vulnerability in vBulletin software to compromise both vBulletin's and Foxit Software's online forums. The attacker gained unauthorized access to Foxit's systems over two days, exfiltrating data from over 260,000 user accounts including user IDs, full names, email addresses, plaintext security questions and answers, password salts, and partial payment card information. Coldzer0 maintained persistent access through a web shell undetected by the company's F5 security infrastructure, publicly claiming responsibility while sharing evidence of the breach. The incident exposed sensitive authentication credentials and personal data from the forum's user base, which totaled nearly 537,000 registered accounts at the time of the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2015, Foxit Software’s user forums were compromised by an attacker using the alias Coldzer0, who also identified himself as Mohamed Osama. The breach occurred over a two-day period and exploited a zero-day vulnerability in the vBulletin software underpinning the forums. Coldzer0 publicly claimed responsibility for the intrusion, stating he obtained data from over 260,000 user accounts and maintained unauthorized access to Foxit’s servers via a shell. He documented his activities through social media posts, including screenshots and videos later removed from platforms like YouTube and Facebook. The attacker criticized Foxit’s security measures, noting their use of F5 hardware failed to detect his traffic or the implanted shell. Compromised data included user IDs, full names, email addresses, plaintext security questions and answers, password salts, and credit card numbers excluding CVV codes. Foxit’s forums hosted approximately 537,000 registered accounts at the time, indicating a significant portion of user records were exposed. Coldzer0 linked this breach to a simultaneous attack on vBulletin’s own forums, which he executed using the same exploit. vBulletin’s forums, with 344,581 members, were taken offline for maintenance following the incident but had not officially confirmed the breach at the time of reporting. Foxit Software was contacted for confirmation but had not issued a public statement by the article’s publication date.
The incident exposed sensitive user information, including authentication details and financial data, raising risks of credential theft and identity fraud. Coldzer0’s public disclosures included samples of stolen records, such as security questions and answers stored in plaintext, which could facilitate account takeovers across multiple services if users reused credentials. The attacker’s ability to evade detection by F5 security appliances highlighted potential gaps in Foxit’s network monitoring and intrusion detection capabilities. While Coldzer0 did not explicitly state whether the Foxit data was sold or leaked, the breach’s scope mirrored the vBulletin compromise, where data was dumped and potentially monetized. Users were advised to change passwords and assume their security question answers were compromised, though Foxit had not issued formal guidance. The attacker’s online profiles, including a LinkedIn account and personal website, provided corroborating details about his claimed expertise in malware analysis and reverse engineering. Both breaches underscored the risks of unpatched vulnerabilities in widely used forum software, though Foxit’s specific remediation steps remained unconfirmed. The incident’s public documentation via social media allowed third-party analysts to validate portions of Coldzer0’s claims independently.