Hackers exploit vBulletin flaw to access 27M accounts on 11 websites

Attackers used a flaw in the internet forum software vBulletin to breach 11 websites, exposing the personal information of 27 million accounts, according to the breached data monitoring service LeakedSource.

Most of the accounts were accessed associated with gaming websites on the Russian Internet company and e-mail platform mail.ru. The breached websites used outdated versions of the vBulletin software that contained SQL Injection flaws in the Forum Runner add-on.

LeakedSource told PCWorld that four or five attackers exploited a SQL injection vulnerability in vBulletin's forum software. “Unfortunately we can confirm the existence of a 0day Vbulletin exploit. Expect lots of data to be added to LeakedSource,” the monitoring service tweeted last month.

The breached user information included usernames, email addresses, phone numbers, IP addresses, birthdays, and phone numbers. Several other domains were also breached, including expertlaw.com, ageofconan.com, anarchy-online.com, freeadvice.com, gamesforum.com, longestjourney.com, ppcgeeks.com, and thesecretworld.com.