Social engineering forum hacked, user data dumped on rival site
Social Engineered, a forum that bills itself as dedicated to the “Art of Human Hacking,” may have been given a dose of its own medicine: in mid-June, its user data was leaked and dumped on a rival forum.
On Thursday, the founder of Social Engineered, who goes by the username Snow101, confirmed the breach, blaming a MyBB vulnerability:
Mybb had a vulnerability yet again and the site got breached along other websites using Mybb. We moved over to xenforo i suggest changing your passwords immideately [sic].
MyBB is open-source, free software used to create and run online forums.
Snow101 said that Social Engineered has now moved over to the XenForo platform to try to avoid a repeat of the data breach. The forum owner is also looking for contributions: Snow101 asked members to voluntarily chip in to help in the shift from a free, open-source project to a commercial forum.
According to Bleeping Computer, whoever’s behind the leak posted that they had “uploaded the full database and root directory of this website.”
MyBB’s MyBad month
MyBB has had a shaky month. It was one of the many CMSs (content management systems) that researchers recently found weren’t storing passwords securely. They found that MyBB, along with a dozen others, was using the now obsolete MD5 hashing function.
Weak password hashing couldn’t have caused the breach at Social Engineered, but it might make the consequences of the breach much worse as hackers make light work of cracking the site’s exposed password database.
However, a bug that could lead to a catastrophic site breach was discovered earlier this month. MyBB released updates that fixed vulnerabilities in version 1.8.20 and older that could have allowed a remote attacker to get complete control over a site and, potentially, the server.