The owner of 'Social Engineered,' a forum member that goes by the pseudonym 'Snow101', has announced the unfortunate event of the breach of the platform, urging people to reset their passwords. The attack was carried out by an unknown person, and the stolen user data was published on an unnamed rival forum. Snow101 has attributed the incident to a vulnerability on MyBB, which is an open-source tool for the creation and operation of online forums. This coincides with a relevant announcement by MyBB which warned forum admins who use version 1.8.21 and older, of an XSS flaw that allows attackers to execute code in the admin panel remotely through file write. This can easily lead to taking over any forum account on the target forum, which is apparently what happened with Social Engineered.
The particular forum is devoted to 'the art of human hacking,' hosting discussions about how to trick people into giving away their sensitive information, share useful data about others, or perform actions on behalf of the fraudster. The term refers to psychological manipulation rather than actual hacking, and malicious actors love it for its simplicity, straight-forwardness, and minimal requirements for a successful outcome. The people who take part in the discussions of the particular forum may not all be fraudsters, but nonetheless, they have been compromised and had their details published on a rival website.
According to 'HaveIBeenPwned', the compromised user data includes the email addresses, IP addresses, passwords, private messages, and the usernames of 89,392 Social Engineered forum members. The date of the breach is set to be June 13, 2019, while the relevant entry in HIBP was added yesterday. While the passwords are salted MD5 hashes, the private messages and IP addresses should be enough to cause trouble to those indulging in shady activities. The compromised forum was also briefly taken down so that the proper infrastructure change could take place.
The owner of Social Engineered has announced that they’re taking the forum to the XenForo platform now, which should prevent any similar occurrences in the future. However, we should point out that the MyBB flaw was published on June 11, together with the patch that plugged the hole. The forum admin had two days to update MyBB before the attack took place, which should be enough time for a security-minded individual to take action. Disclosed flaws take the risk of getting hacked to the sky, so it’s only a matter of time before a hacker knocks at your door. In this case, the amount of time required was just two days, and Social Engineered was only one of the many forums using a vulnerable version of MyBB that lost their user data to this recent wave of attacks.
Have something to say on the above? Feel free to share your thoughts in the comments down below, or on our socials, on Facebook and Twitter.