vBulletin’s recent breach reveals issues with website and password protection
December 5, 2013

Password security is a two-way street. On the one hand, companies should be expected to provide as much protection as possible to their users. On the other hand, individuals should create the strongest authentication details they can think of. If both of these parameters could regularly be achieved, the number of compromised accounts and websites would be drastically reduced. 

Unfortunately, this usually doesn't happen and forum software host, vBulletin, recently experienced a breach, according to Naked Security. Although vBulletin claimed that it had encrypted user passwords, this was not the case when some of the company's members were hacked. When the vBulletin-hosted Ubuntu forum was compromised, the hacker stated that the site only used the default hashing for the software, and Naked Security suggested that vBulletin itself might have done the same with members' security details. 

Reporting on the incident, Ars Technica noted that the vBulletin forum software may have a critical vulnerability that applies across the technology. The group taking credit for the vBulletin breach, the Inject0r Team, stated that it had discovered an undocumented exploit that allowed it to hack the platform and gain access to a MacRumors moderator account, which in turn let the organization take the password hashes for 860,106 other accounts on the forum. Based on its claims, all versions of vBulletin 4.x.x and 5.x.x. are exposed to attack – and the Inject0r Team claims that it's selling details about the vulnerability. 

Because of these problems, Ars Technica suggested that websites running versions 4 or 5 of vBulletin's software should disable their forums until the company has either explained the attack or stated that there are no known vulnerabilities. This move has already been taken by the Defcon forum, which was among those affected. 

Creating a better online ecosystem
The simple fact is that security is not a top priority for many companies. It's important, but it's typically a secondary consideration at best. In the case of vBulletin, the company is devoted to providing forums for users to communicate across the Internet. An e-commerce site wants to sell its goods and even government or healthcare websites are invested in providing services to their citizens and patients above all else. Meanwhile, consumers pay just as much mind to their security – they want to buy products, post messages or access their records and benefits, and they want to perform these actions as conveniently as possible. A complicated authentication process only gets in the way of these activities. Naked Security recommended people use one account and one password for every seprate website they use online, but this advice is already known and often not heeded. 

Due to this issue, more organizations should consider turning to companies that are devoted to identity management and providing a safe online environment for everyone to operate in. In many cases, this can be less costly than creating a system from scratch, or maintaining the current software in place. Storing login details makes even relatively innocuous websites targets for attack, because even if they don't possess financial data or personal information, the tendency for people to use the same names and passwords across multiple sites means that the data could pay off elsewhere on the Internet. Allowing users to bring their own credentials from somewhere that they don't treat as casually as an online forum can enhance fraud protection on both sides. 

Breaches, or at least their attempt, are nearly inevitable. Since companies cannot possibly convert every single users' password into a secure, single-use code, decision-makers should instead look to minimizing the problem as much on their own end.