VerticalScope, which hosts 1,100 websites and forums, was hacked earlier this year, with the details of around 45 million users later leaked online.
Some of the most popular online communities hosted by VerticalScope include Techsupportforum.com, MobileCampsites.com, Pbnation.com, and Motorcycle.com, all of which were impacted by data leak. Apparently, the data was stolen during a breach in February this year, according to paid search engine LeakedSource, which broke the news on the incident.
In a blog post, LeakedSource claims that each of the 45 million VerticalScope records that it managed to obtain may contain an email address, a username, an IP address, one password and in some cases a second password. They also say that the massive scale of the breach can be explained only if VerticalScope stored all of their data on the same or on interconnected servers.
Furthermore, they note that passwords weren’t stored in the most secure way in most cases, with only 10 percent of the affected domains using various encryption methods to secure the passwords. In the case of over 40 million of the leaked records, however, passwords were stored only using MD5 with salting, which is by no means enough to keep them secure.
LeakedSource claims that it has had the leaked data since April, that they have already confirmed that it is legitimate information, but that they took the time to analyze the data only now. However, the search engine doesn’t offer specific details on how it came by the leaked data.
VerticalScope, on the other hand, says in a recent “security update” post that it is aware of claims that user data might have been compromised across multiple communities, and that it will strengthen password security to ensure minimum impact.
All of their communities’ users will receive an email shortly, prompting them to change their passwords, and the company also plans on sending reminders with password safety tips, such as to avoid the re-use of passwords across other platforms and communities. It will also implement stricter password expiration rules, forcing users to change their passwords on a more regular basis.
“These are in response to increased Internet awareness of security-related incidents on outside major social media websites with which we share many common users. In addition, we recently became aware of potential risks to community accounts (username, userid, encrypted password and email address) on many Forum online communities, including some owned and operated by VerticalScope. To be safe, these changes are being implemented on all of our Forum communities to help protect all of our users on each of our websites,” the company says.
VerticalScope also says that it is investigating the incident, while also working on gathering data to provide law enforcement with. Moreover, it notes that password-sharing between sites is another issue that impacts users, especially after multiple social-media sites have had reported breaches in recent months.
All things considered, it’s yet unclear how the breach could have impacted such a large number of communities and how attackers were able to penetrate VerticalScope’s systems in the first place. As IT Security expert Sorin Mustaca told SecurityWeek in an email, it’s actually doubtful that VerticalScope was storing all data in a single place.
“While this is technically not impossible, I seriously doubt that they invested so much work in consolidating user accounts into a single database,” Mustaca says.
He points out that some of the VerticalScope websites are using vBulletin, and that attackers might have abused vulnerabilities in this software to gain access to the database. Some websites use vBulletin 3.8.7 Patch Level 3, and hacking tools that allow attackers to crack the licensing protection of vbulletin.com, to send spam, and to dump data, and which target specifically this software version can be found with a simple search on the web.
Mustaca also explains that some other popular websites belonging to the VerticalScope group are based on the WordPress content management system (CMS), and that some run the WordPress 4.2.4 version, released on August 4, 2015. Currently at 4.5.2, WordPress has patched numerous security flaws since August last year, and vulnerabilities in the older CMS variant, paired with security bugs in some outdated and vulnerable plugins used on these websites provided enough attack surface for a massive data breach.
However, Mustaca notes that some of LeakedSource’s claims don’t add up when looking at the whole picture: “After reading the Summary of the dump on LeakedSource I am starting to see here a pattern: ‘Each record may contain an email address, a username, an IP address, one password and in some cases a second password’. This is exactly the same as in the Myspace breach: ‘Each record may contain an email address, a username, one password and in some cases a second password.’ How come that two completely unrelated breaches share the dump format? Could it be that they are converted somehow into a single format before they are put on sale?”
Amit Ashbel, Cyber Security Evangelist at Checkmarx, told SecurityWeek that, regardless of how hackers managed to perform their attack, VerticalScope is to be held responsible if user passwords are cracked, mainly because they should have stored them as securely as possible.
“No matter how the attack was executed and how many layers of protection were implemented, VerticalScope, like others before them are accountable for the simple fact that they did not comply with the most basic standard of using sophisticated encryption techniques to avoid decryption of passwords which were stolen. The passwords were hashed using MD5 which anyone (yes anyone) could revert to plain text within minutes,” Ashbel says.
By SecurityWeek News on June 15, 2016