vBulletin, Foxit Software forums hacked by Coldzer0; hundreds of thousands of users’ info stolen

This post was co-authored with @Cyber_War_News.

Some days we scratch our heads at the folks who proudly claim hacks and then give law enforcement enough evidence to go after them. And then this happened:

#vBulletin 5.x.x hacked by Coldzer0 today. Licences & database dumped, shell on server. vBulletin denied. #0day #security #zeroday

— Terry Tran (@terryjunx) November 1, 2015 #vBulletin 5.x.x hacked by Coldzer0 today. Licences & database dumped, shell on server. vBulletin denied. #0day #security #zeroday

Meet Coldzer0. He says his name is Mohamed Osama, and on his web site, coldroot.com, he describes himself as a

Malware Analyst , Security Researcher , Reverse Engineer . Delphi Team Leader at Orbit Shield instructor/Trainer at Orbit Shield / SQunity .

He even has a LinkedIn profile. And when he hacked vBulletin’s forum, he left a calling card:

He also uploaded a video to YouTube demonstrating that he had access, although that YouTube video was subsequently removed. And just to make sure he got “credit,” he also posted screenshots on his Facebook page and elsewhere. He deleted the Facebook ones soon after, but here’s a screenshot of his Facebook page, followed by an enlargement of the proof of the vBulletin hack:

Seriously? He also posted evidence of a shell:

At this point, it is not known to us how much of the data has been leaked and/or put up for sale, but a screenshot provided to @Cyber_War_News  indicates that userids, full names and email addresses, security questions and answers (both in plain text) with password salts are among the data he acquired. Here’s a redacted snippet from that screenshot (the original has many more entries):

Vbulletin.com remains offline with a statement that it is “down for maintenance.” They have yet to even officially confirm that they’ve had a database breach, as a cached copy of a forum thread on the breach indicates. As of October 29, Vbulletin Forum claimed to have 344,581 members.

If you’ve used the Vbulletin forums, change your password immediately and assume that others are now in possession of the answer to your security question and other details -including credit card numbers (but not cvv).

The Vbulletin forum was not the only one hacked, however. An article in Vietnamese (translation here) reported that Foxit Software’s forum was also hacked. Coldzer0 informed @Cyber_War_News that he had breached Foxit’s forum over a period of two days, using the same 0day exploit he used with Vbulletin. He claims to have  obtained information on over 260,000 accounts.  According to Foxit forum’s member list, it has almost 537,000 user accounts. Coldzer0 informed @Cyber_War_News (typos in original):

vBsecurity team from yesterday and they can’t catch it.

and here’s the most weird thing

they using F5 on there servers and didn’t detect my shell or even detecting my traffic

Foxit Software was sent an email asking them to confirm the claimed hack of their forum and databases. This post will be updated as more information becomes available.