XenoBot Forums - Database Breach

[Xikini]

I've tested various bots over the years on alternate accounts so I could see how a bot behaves and acts (when I still played), so I could easily see and recognize patterns made by bot's, and therefore be better suited to fight against them.

Random e-mail I received this morning.

XenoBot Forums <[email protected]>

5:02 AM (7 minutes ago)

to me

Dear [censored],

Due to a vulnerability in the VBulletin software, our database has been leaked. Your tibia accounts are safe. Your bot license is safe. This, however, may lead to your forum account being used without your knowledge or permission, and actions being performed under your name.

Vulnerable accounts can also be bad for the board as a whole as they may enable access for automated tools to spam both the forums and other user accounts, using your username.

As such we have had to reset your password.
You can find your new login details below.

Username: [censored]
Password: [censored]

If you want to change your password, login with the above details at the following location:
http://forums.xenobot.net/profile.php?do=editpassword


We apologize for any inconvenience this may cause and appreciate your understanding.



All the best,
XenoBot Forums

And this is on the forum.

Valued Customers,

Due to a vulnerability in the VBulletin software, our database has been leaked. Your tibia accounts are safe. Your bot license is safe. This, however, may lead to your forum account being used without your knowledge or permission, and actions being performed under your name.

Vulnerable accounts can also be bad for the board as a whole as they may enable access for automated tools to spam both the forums and other user accounts, using your username.

As such we have had to reset your password.
You can find your new login details at your registered email address.

We apologize for any inconvenience this may cause and appreciate your understanding.
//DarkstaR

Not sure why I'm even posting, just thought it was pretty funny.
Along with the post in the support thread by one the XenoBot team members asking how to use 'print'. The post has been removed by mods at this point it seems though.

Makes you wonder.

 

[Syntax]

vBulletin had a recent vulnerability https://enumerated.wordpress.com/2016/07/11/1/
The database was compromised, but passwords were hashed and salted, and were reset. If you used the same password elsewhere you should reset it to be safe.

 

[Mkalo]

vBulletin had a recent vulnerability https://enumerated.wordpress.com/2016/07/11/1/
The database was compromised, but passwords were hashed and salted, and were reset. If you used the same password elsewhere you should reset it to be safe.

But how did the guy get access to Joshwa's account in OTLand if the passwords were hashed and salted?

 

[Syntax]

But how did the guy get access to Joshwa's account in OTLand if the passwords were hashed and salted?

His password was short enough to be bruteforced the hash and salt I suppose, and the password was shared between these two sites (stupid I know). Or maybe Josh's account was too old and didn't have a salt, I can't be certain as I'm just a "community" admin, I have no access to the database and things like that.

Disclaimer: Although Xeno and OTLand was compromised for a brief moment, nothing else was as either it used a different password or had 2-Factor enabled. We require all OX staff to enable 2-Factor on every service we use (Github, Discord, OX Forums, Gmail, PayPal, etc).

I'd like to reiterate and say if you were using the same password as you were on Xeno, you should change it just incase. Hashes can be bruteforced given enough time, it could be in a few days or a few years, I recommend using LastPass or something similar. You should NEVER use the same password on different sites.

 

[Shyzoul]

@Xikini the most funny of this are that DarkStar was suppose to hack others forums not get hacked =)

 

[Zewz]

Theres alot of 0Days exploits going on for these kind of websites nowaday, Else he just social engineered the Admin of xenobot.