Cyber Incident Victim: Kodi
Date:
Feb 2023
Location:
United Kingdom
Summary
Unauthorized access to the Kodi forum's administration console occurred via a compromised inactive administrator account, enabling attackers to create and download database backups containing public and private forum posts, user messages, usernames, email addresses, and encrypted passwords. The stolen data was later advertised for sale on a hacking forum, targeting approximately 400,000 users. The organization responded by taking affected systems offline, migrating to updated software with enhanced security measures, resetting all user passwords, and notifying relevant authorities. Breached email addresses were shared with a public disclosure service to alert impacted individuals. The incident prompted a rebuild of infrastructure, including forum and wiki servers, alongside plans for future penetration testing to bolster defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Kodi Foundation became aware of a data breach involving their user forum within the last 24 hours before April 8, 2023, when a database dump was advertised for sale online. Investigation of MyBB admin logs revealed unauthorized access to the forum's web-based administrative console using the compromised credentials of a trusted but inactive forum administrator account. This account was used to create and download database backups on February 16 and February 21, 2023, with the attacker also downloading existing nightly full backups before deleting evidence of their actions. The account owner confirmed they did not perform these activities. The stolen database contained all public and private forum posts, user-to-user private messages, forum usernames, notification email addresses, and passwords encrypted through MyBB v1.8.27's hashing and salting mechanism. While no evidence indicated compromise of the underlying server infrastructure, Kodi assumed all credentials were compromised given the backup exfiltration.
The breach impacted approximately 401,000 forum users and resulted in immediate forum, wiki, and pastebin system takedowns while administrators initiated response measures. Kodi notified the UK Information Commissioner's Office and filed a police report due to their UK-based hosting, but did not pursue other country-specific breach notifications. Forensic analysis prompted commissioning a new forum server despite no confirmed residual compromise, alongside migrations to updated MyBB and MediaWiki software versions requiring significant code review for custom modifications and security backports. User passwords were globally invalidated, requiring reset procedures upon service restoration – the wiki and paste sites became operational by April 17 with password resets enforced. Kodi partnered with HaveIBeenPwned to notify affected email holders while preparing direct user communications regarding credential recycling risks. The forum resumed functionality on April 25 following system hardening that included restricted administrative access, privilege reductions, enhanced logging, and backup process improvements. The attackers unsuccessfully attempted to sell the database on Breached hacking forum in February 2023, with advertisements emphasizing inclusion of IPTV reseller information before the forum's shutdown due to law enforcement actions against its operators. Kodi announced plans for post-recovery penetration testing while soliciting volunteer security professionals to audit their infrastructure.