VerticalScope, which hosts 1,100 websites and forums, was hacked earlier this year, with the details of around 45 million users later leaked online.
Some of the most popular online communities hosted by VerticalScope include Techsupportforum.com, MobileCampsites.com, Pbnation.com, and Motorcycle.com, all of which were impacted by data leak. Apparently, the data was stolen during a breach in February this year, according to paid search engine LeakedSource, which broke the news on the incident.
In a blog post, LeakedSource claims that each of the 45 million VerticalScope records that it managed to obtain may contain an email address, a username, an IP address, one password and in some cases a second password. They also say that the massive scale of the breach can be explained only if VerticalScope stored all of their data on the same or on interconnected servers.
Furthermore, they note that passwords weren’t stored in the most secure way in most cases, with only 10 percent of the affected domains using various encryption methods to secure the passwords. In the case of over 40 million of the leaked records, however, passwords were stored only using MD5 with salting, which is by no means enough to keep them secure.
LeakedSource claims that it has had the leaked data since April, that they have already confirmed that it is legitimate information, but that they took the time to analyze the data only now. However, the search engine doesn’t offer specific details on how it came by the leaked data.
VerticalScope, on the other hand, says in a recent “security update” post that it is aware of claims that user data might have been compromised across multiple communities, and that it will strengthen password security to ensure minimum impact.
All of their communities’ users will receive an email shortly, prompting them to change their passwords, and the company also plans on sending reminders with password safety tips, such as to avoid the re-use of passwords across other platforms and communities. It will also implement stricter password expiration rules, forcing users to change their passwords on a more regular basis.
“These are in response to increased Internet awareness of security-related incidents on outside major social media websites with which we share many common users. In addition, we recently became aware of potential risks to community accounts (username, userid, encrypted password and email address) on many Forum online communities, including some owned and operated by VerticalScope. To be safe, these changes are being implemented on all of our Forum communities to help protect all of our users on each of our websites,” the company says.
VerticalScope also says that it is investigating the incident, while also working on gathering data to provide law enforcement with. Moreover, it notes that password-sharing between sites is another issue that impacts users, especially after multiple social-media sites have had reported breaches in recent months.
All things considered, it’s yet unclear how the breach could have impacted such a large number of communities and how attackers were able to penetrate VerticalScope’s systems in the first place. As IT Security expert Sorin Mustaca told SecurityWeek in an email, it’s actually doubtful that VerticalScope was storing all data in a single place.
“While this is technically not impossible, I seriously doubt that they invested so much work in consolidating user accounts into a single database,” Mustaca says.
He points out that some of the VerticalScope websites are using vBulletin, and that attackers might have abused vulnerabilities in this software to gain access to the database. Some websites use vBulletin 3.8.7 Patch Level 3, and hacking tools that allow attackers to crack the licensing protection of vbulletin.com, to send spam, and to dump data, and which target specifically this software version can be found with a simple search on the web.
Mustaca also explains that some other popular websites belonging to the VerticalScope group are based on the WordPress content management system (CMS), and that some run the WordPress 4.2.4 version, released on August 4, 2015. Currently at 4.5.2, WordPress has patched numerous security flaws since August last year, and vulnerabilities in the older CMS variant, paired with security bugs in some outdated and vulnerable plugins used on these websites provided enough attack surface for a massive data breach.
However, Mustaca notes that some of LeakedSource’s claims don’t add up when looking at the whole picture: “After reading the Summary of the dump on LeakedSource I am starting to see here a pattern: ‘Each record may contain an email address, a username, an IP address, one password and in some cases a second password’. This is exactly the same as in the Myspace breach: ‘Each record may contain an email address, a username, one password and in some cases a second password.’ How come that two completely unrelated breaches share the dump format? Could it be that they are converted somehow into a single format before they are put on sale?”
Amit Ashbel, Cyber Security Evangelist at Checkmarx, told SecurityWeek that, regardless of how hackers managed to perform their attack, VerticalScope is to be held responsible if user passwords are cracked, mainly because they should have stored them as securely as possible.
“No matter how the attack was executed and how many layers of protection were implemented, VerticalScope, like others before them are accountable for the simple fact that they did not comply with the most basic standard of using sophisticated encryption techniques to avoid decryption of passwords which were stolen. The passwords were hashed using MD5 which anyone (yes anyone) could revert to plain text within minutes,” Ashbel says.
“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value. Maybe it’s time that websites are forced to indicate what security standards they follow to protect their user’s data.”
Responding to a SecurityWeek inquiry, Jerry Orban, VP Corporate Development at VerticalScope Inc., provided the following statement:
We are aware of the possible issue and our internal security
team has been investigating the issue. We will be collecting information to provide to the appropriate law enforcement agencies. We believe that any potential breach is limited to user names, userids, email addresses, ip addresses and encrypted passwords of our community users. In response to increased Internet awareness of security-related incidents, including potential incidents on our communities, we are implementing changes to strengthen our password policies and practices across all of our communities as a precautionary security measure. These include:
-Resetting user passwords. Each community member is in the process of receiving a notification that they are required to reset their password before accessing their community accounts.
-Enhancing password rules to require strong passwords and periodic password expiration. Acceptable passwords must now have a minimum of 10+ characters and a mixture of upper and lowercase letters, numbers and symbols. Additionally, our administrators and moderators will have a two-step password verification, and users will be reminded to use good “password hygiene” which means not using the same password for multiple online accounts and using unique strong passwords for each.
-Engaging certain third party vendors that provide desktop and mobile plug-ins and notifying them of the breach to allow their own security teams to investigate.
While we run encrypted passwords and salted hashes to store passwords on all user accounts, our new password rules are intended to further strengthen user security. We are also taking steps to investigate and test new encryption and security technologies to allow us to further protect our users.
We’ve seen multiple very large breaches made public over the past several weeks or so, supposedly impacting nearly one billion users. It all started in mid-May with news of 167 million of LinkedIn user accounts being compromised, and continued with Myspace (360 million), Tumblr (65 million), and VK (170 million). Last week, 32 million Twitter credentials emerged on the Dark Web, not as part of a data breach, but more likely gathered with the help of malware.
*Updated with statement from VerticalScope