Canonical, the company behind the popular Ubuntu Linux distribution, has warned of a breach on its forums that has resulted in the theft of user account details.
Canonical's Ubuntu Forum is one of the most popular Linux-related sites around, boasting more than two million registered users and frequently coming top in search results for Linux queries - even those not relating specifically to the Debian-derived Ubuntu. Such popularity, though, makes it a natural target for attackers, one or more of which recently made off with a copy of the forum database.
According to a security advisory
published by Canonical's Jane Silber, while the attacker had access to the complete forum database evidence suggests only the 'user' table was accessed. This table includes usernames, email addresses, and IP addresses for the forum's two-million-plus user base - but, the company has been quick to assure users, not passwords. As the Ubuntu Forum site uses a single-sign-on (SSO) system, the field which would normally contain passwords instead contained random strings not related to a user's actual passwords - and even then each was hashed and salted, as is best practice.
Canonical's investigations suggest that the breach was due to a vulnerability in the third-party vBulletin platform which powers the forum, and the company says it is confident that the attacker or attackers had no access to any Ubuntu code repository or update server, valid user passwords, or any other Canonical system or service.