Comodo Forums Breached, Data of Over 170,000 Users Up for Grabs

[steven36]

Account data belonging to more than half of all Comodo Forums users has been stolen and is now traded online. The breach was possible by exploiting a vulnerability in the software that powers the forum.

 

 

 

 

Comodo today published a security notice informing users that an intruder may have gained access to the forums database.

 

"Very recently a new vulnerability in the vBulletin software, which is one of the most popular server applications for website comments including the Comodo Forums, was made public," the notification begins.

 

The bug in vBulletin is critical, being extremely easy to leverage. Details were made public a week ago but exploit brokers had known about it for three years.

 

Since the exploit code was published, attackers started pounding vBulletin-powered forums. One botnet even secured the servers after compromising them by modifying the vulnerable code so that command execution required a password.

Comodo notifies its forum users

According to the announcement from Comodo, an attacker exploited the vBulletin security flaw on Sunday at 04:57 AM EST; their action resulted "in a potential data breach on the Comodo Forums."

The investigation is in an early stage and efforts are being made to determine what data has been accessed.

 

The Comodo Forum is powered by the open-source Simple Machine Forum software but vBulletin is used on another board dedicated for product updates and discussions, which has far fewer members. ITarian forum, also by Comodo, has 45,300 users and is on vBulletin. They published a similar announcement and the same recommendations.

 

"User accounts on the forums contain information such as username, name, e-mail address, last IP used to access the forums and if used, potentially some social media usernames in very limited situations." - Comodo

 

The notification says that all passwords were stored in encrypted form but forum users are recommended to change them, as a precautionary measure.

Filling in the blanks

On a site where users exchange and sell databases from breach or leak incidents, someone offered a dump that contains at least the password, email, and username of over 170,000 Comodo Forums users. According to Comodo, their forums have around 245,000 registered users.

 

The individual advertising the database specifically says that the dump is from Comodo's discussion website running on the Simple Machines Forum software and that the data was fresh, from September 29. They also say that the passwords are hashed using MD5 algorithm, which is not only highly vulnerable but also very easy to crack and find the original string for the hash.

 

 

BleepingComputer received a sample of the database and was able to verify that it was genuine. Most of the users in it were inactive Comodo Forums members, butone of them is an active user and confirmed an email address we provided as being theirs and used on the forum, as well as other details.

 

The full extent of the user details available in the database is unclear but the sample seen by BleepingComputer included the following:

 

• ID
• name
• country
• IP address of the last login
• password and its salt
• provided birth date
• security question
• hashed security answer
• registration date
• messenger usernames
• total time logged in

 

Some of the information was present only for the users that provided it.

 

BleepingComputer contacted Comodo for clarification regarding the forum that was breached. We will update the article when we have the new information.

 

Source