A few days ago, the Ubuntu Forums were breached by unknown assailants. A total of two million user accounts were stolen, albeit there is no need to worry just yet. User passwords are not compromised, as the assailants only obtained random text strings stored in the database. The issue has been corrected in the meantime, and full service has been restored.
In most cases when a data breach takes place, user accounts are not safe from harm. But as far as the Ubuntu Forums hack is concerned, no user passwords were stolen. The issue came to light when a deep web seller claimed to own a copy of the Ubuntu Forums database, containing roughly two million user accounts.
The Canonical IS team investigated the matter promptly and discovered an exposure of data had taken place. The Ubuntu Forums were shut down for a while to address this issue, and ensure new security measures could be implemented. As it turns out, an SQL injection vulnerability had been used to exploit the Forumrunner add-on.
Submitted by: Arnfried Walbrecht