There has been a security breach on the Ubuntu Forums site. We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation. Corrective action has been taken, and full service of the Forums has been restored. In the interest of transparency, we’d like to share the details of the breach and what steps have been taken. While user data such as email addresses was exposed, no passwords were compromised. We apologise for the breach and ensuing inconvenience.
At 20:33 UTC on 14th July 2016, Canonical’s IS team were notified by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the Forums database.
After some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.
The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table.
They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted).
We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.
We know the attacker was NOT able to gain access to valid user passwords.
We believe the attacker was NOT able to escalate past remote SQL read access to the Forums database on the Forums database servers.
We believe the attacker was NOT able to gain remote SQL write access to the Forums database.
We believe the attacker was NOT able to gain shell access on any of the Forums app or database servers.
We believe the attacker did NOT gain any access at all to the Forums front end servers.
We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.
UPDATED 19 July 2016 to reinforce that user passwords were not compromised.
Interested in running Ubuntu Desktop in your organisation?
Ubuntu 14.04 LTS – ESM will become available once Ubuntu 14.04 Trusty Tahr reaches its End of Life on April 30, 2019. Extended Security Maintenance (ESM) is an available feature with Ubuntu Advantage, Canonical’s commercial support…
A couple of weeks ago, we talked about snap security, taking a journey through the eyes of a developer and handing over to a user who wants to install applications from the Snap Store. We discussed concepts like application confinement,…
Quite often, security and functionality are two opposing forces. Vendors are trapped in a zero-sum game between providing their users as much freedom in the software they use and limiting said freedom to create tightly controlled and…