Cyber Incident Victim: ZoneAlarm
Date:
Nov 2019
Location:
United States of America
Summary
A cybersecurity firm's online forum suffered a data breach when attackers exploited a critical vulnerability in outdated vBulletin software, compromising approximately 4,500 users' personal information including names, email addresses, hashed passwords, and dates of birth. The incident, linked to a previously disclosed zero-day flaw affecting unpatched systems, prompted immediate user notifications and temporary forum shutdown for remediation. The same vulnerability had been used in a prior attack on another company's forums. An investigation is ongoing, with the company emphasizing the forum's separation from other services and limited user base.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 11, 2019, ZoneAlarm—a cybersecurity software provider owned by Check Point Technologies—confirmed a data breach affecting its standalone user forum site at forums.zonealarm.com. The company detected unauthorized access to its vBulletin-based forum platform late the previous week, prompting immediate notification of approximately 4,500 registered users via email. Attackers exploited a critical remote code execution vulnerability (CVE-2019-16759) in the outdated vBulletin 5.4.4 software powering the forum, which had not been patched despite the availability of fixes for newer versions. This zero-day flaw, initially disclosed anonymously in September 2019, enabled threat actors to compromise the site and access user data including names, email addresses, hashed passwords, and dates of birth. ZoneAlarm emphasized that the breached forum operated independently from its core security products and primary websites, limiting exposure to this specific user subset. The company took the forum offline for remediation upon discovering the intrusion, preventing further access until vulnerabilities could be addressed.
ZoneAlarm initiated an internal investigation while notifying affected customers within 24 hours of detection, advising them to reset forum passwords and change credentials on other platforms where they might have reused the same passwords. The exact timeline of the breach remained unclear, though the incident mirrored a similar attack against Comodo’s forums exploiting the same vBulletin vulnerability just one week prior, which impacted over 245,000 users. ZoneAlarm’s forum remained inactive during remediation efforts, with plans to enforce mandatory password resets upon restoring service. No evidence suggested compromise of ZoneAlarm’s commercial security software or customer data beyond the isolated forum infrastructure. The company’s public communications regarding the incident occurred exclusively through direct user notifications and statements to media outlets, without formal public disclosures or breach portal announcements.