Ubuntu forum users, please read the following security advisory link

If you have an Ubuntu forum account, please take the time to read the following as it may affect you!:


Well… sh*#,

Thats scary, but at least sounds like they didn’t get passwords. Could be a good idea to change your password anyway?

Thanks for the heads up @wolfman :+1:

1 Like

I would certainly change my PW even though they say PW’s weren’t affected!. :smiley:

The biggest danger is via the E-Mail addresses as they can send spam/viruses and other unwanted content!. :smiley:

Thanks @anon42388993/@ouroumov for moving/editing it!. :thumbsup:

Seen this a few days ago and already changed my passwords, from what I have read they did this about 2 or 3 years ago so it’s not the first time this has happen. They need to step up the forum Security

1 Like

Even better, ditch the proprietary and awfully clunky vBulletin forum system for something more community spirited… you know… like… Discourse? :relaxed:


Hi @lah7,

but is Discourse safer/better, looking at the security symbol (top left address bar), it isn't currently showing the lock info fully?:

Comparing MATE and Ubuntu forums wrt security ... neither is reported a 100% secure ... probably just the images



1 Like

I have something very similar!:

It’s definitely images which are linked via http (such as http://www.omgubuntu.co.uk/wp-content/uploads/2016/07/ubuntu-forums.jpg) - the browser will only show the page as “secure” if all resources are loaded over encrypted connections.

Btw. the Ubuntu forums breach happened via SQL injection, and HTTPS is completely useless as defense against those kind of bugs. There is more to security than encrypting connections. :wink:


By security I meant the actual vBulletin software (server side), it won't be just Ubuntu Forums that are vulnerable to this data breach.

@maximuscore is right, this topic was also discussed here:


vBulletin really is the Wordpress of web forums and it’s quiet disheartening to see its continued use, despite all the security red flags and incidents in the past, not to mention a special predilection of the vBulletin developers to introduce regressions in their plugins API with almost every single new version. This puts an extra burden on plugin developers, who end up not always answering quickly enough to new security threats within their plugins, or to constantly updating their code which invariably give rise to new bugs.

It bothers me that our emails and IP adresses (in particular the fact one references another) were stored in plain text. I cannot conceive it from a security and privacy point of view. And it should be high time that encrypted personal information should also be supported by modern web services that pretend to support communities of registered individuals. This is truer when these services expect to support large communities, because they will be prime candidates for attacks. Combinations like IP Addresses and email addresses should never be allowed in the open like this. It’s almost as bad as just giving my password away. It may not have a similar effect, but it’s a) a venue for the continued existence and the general growth of the spamming business and b) potentially dangerous to individuals in authoritarian regimes who will be easily linked to their online persona since these countries ISPs are usually owned or tightly controlled by their governments. It’s irresponsible not to store personal information also in encrypted form. Regardless of the added server CPU time needed to decrypt this information, there’s plenty of caching methods to avoid impacts on performance or an overload.

Canonical should know better. This was (still is, because it hasn’t been fixed) a KNOWN security vulnerability in that particular vBulletin plugin. How on earth can someone possibly be managing a web forums service that sustains 2 million accounts and not be vigilant about the securities issues that are announced for it? And if they were aware, why didn’t they disable the plugin or patched it themselves?

It’s becoming normal, acceptable, by everyone that these things happen. But what I see is something different. A very troubling road we are walking; I see services everywhere putting up their roadshow without a care in the world, for their benefit and then placing on the users they should have the obligation to protect all the consequences of their bad judgment calls on matters of security. User accounts get whacked on an almost monthly basis on the millionths at a time. And who ultimately pays the price for these companies bad security procedures are the users. And this needs to stop. Companies and services need to be made responsible when they offer a service like a web forum and then they fail to implement good security practices. I understand there is a thin line between what is the responsibility of a company and what is just the inherent and normal dangers of a server online presence. But if users started taking these things to court, you bet thet line would become clearer with time and companies would start acting more responsibly. Today, with the budget cost mentality of the modern business it is inevitable that until some punishment starts to show up, these companies will keep acting irresponsibly.

Sorry about the rant. I’m done.


You make some sound arguments @marfig, security should be a number one priority of all Linux devs as far as I’m concerned!. :thumbsup:


We all make mistakes; nothing is truer to history. What we need to do now is pull up our sleeves, and work up a good sweat. Of course we should all drink plenty of liquids, and always ask our doctor about doing anything too strenuous. Perhaps there needs to be a seal of approval established somewhere that verifies any given user account as being safe, and that would work very much like, say, those electrical safety approved seals that help assure consumers that an item will not burn their house down could make some of you guys a whole bunch of money. Just remember though: that to whom much is given, much is required.
I wonder what I should do? This fright helps incite an activity on my part to enhance my own security at presence. I believe I shall develop a formula. Well, at least, they had the good foresight to separate the passwords, so things should not really be rocking too hard with this. It is a wake up call; so “Thanks, I needed that!” If anything, it gives my username a little “name recognition”. I mean I wanted others out here to know that I exist, so I have this real cool username… What is malicious?:ghost:

1 Like