# VerticalScope compromised



## RS-Tom (Mar 17, 2014)

So I am sure you are aware that VerticalScope have been "owned" and details stolen. Is this forum still owned by VerticalScope and if it is are we going to hear about it on the forum and can we have confirmation on what details were stolen from this forum as part of the attack? Is anyone able to advise on the how our details are secured and what hashing algorithm is used to store passwords on this forum?


----------



## John-H (Jul 13, 2005)

I'm told that the compromise was made to the Vbulletin platform. The TT forum is based on the phpBB platform. All account passwords are encrypted on phpBB and use different encryption.

It remains good practice to use a strong password and change it frequently nonetheless.


----------



## RS-Tom (Mar 17, 2014)

Hi John,

Thanks for the response, from the information I have been passed tit looks like it was against more than just the vbulletin platform.

I'm presuming when you say encrypted you mean hashed? Do you know what mechanism is used to hash the passwords (I would like to identify how strong they might be)? It's not an issue for me personally (never re-use a password), I'm just trying to get some facts so I can advise some friends.


----------



## John-H (Jul 13, 2005)

Apparently the breach occurred through a Vbulletin third party plug-in which is widely used and on other Vbulletin forums not only ones owned by Vertical Scope. This is why it covered so many forums. I'm told it does not affect phpBB - only Vbuletin. I believe PhpBB uses a customised encryption which they employed when they moved away from the older method used by Vbulletin.

Data stolen from the Vbulletin platform includes email addresses and encrypted password data. It is possible to decrypt passwords given time with brute force methods and especially if they are simple such as "password" or "123456" ect. Simple passwords must be considered compromised. Strong passwords take longer and depend on time and effort put in to crack them.

It's important therefore, that if you are a member of any forum using Vbulletin as a platform that you change your password even if a stronger one has been used. If you use the same password elsewhere you should change that too.


----------



## RS-Tom (Mar 17, 2014)

Hi John,

It wasn't just vBulletin, I know the IPB forums were also compromised (my details are in the dump for various IPB forums owned by VerticalScope) and according to various sources WordPress credentials are in it too.

Have VerticalScope confirmed to the TT forum that they aren't affected in the breach?

With regards to the "encryption" you keep mentioning, are you sure you don't mean the passwords are "hashed"? There is a big difference between an encrypted password and a hashed password. Encrypting passwords is regarded as a very bad practice. Passwords should be stored using an adaptive one-way function. To my knowledge phpBB "hashes" their passwords, they don't encrypt them. Depending on the version of phpBB the hashing function might be old and very insecure, an example of a bad hashing function would be storing passwords in a salted md5 hash. The newer versions of phpBB support secure hashing functions such as bcrypt.

Also the majority of vBulletin passwords were stored using a weak hashing function (salted md5 hashes). You can't decrypt them but you can crack them, md5 is a very fast hashing algorithm so it doesn't actually take a lot of time which is why you will already find analysis on the passwords on the dumps.

Happy to talk via PM if it helps.


----------



## John-H (Jul 13, 2005)

I was using the term encryption loosely as most people understand it to mean to hide the password . What's actually used as you correctly say is different in that it's a one way encryption that can't be retrieved. I know phpBB moved away from md5. I believe it's customised but I don't have details.

I've been told that phpBB was not involved in the data loss specific to Vbulletin, that this happened some time back and has now been fully investigated. If there has been a compromise to a phpBB forum this may be site specific but I don't know further.

I'll see if I can get someone from support to comment .


----------



## Dash (Oct 5, 2008)

A hash uses a one-way cryptographic function. It is not mathematically possible to unencrypt a hash as data isn't retained.

The only way to calculate as password is to run made up passwords through the same routine and see if the resulting hash is matched.

There are various technical things that can be done to prevent password guessing but the best defence is down to the user providing a long password (16 characters is a good place to start). Gaining somebody's password is of limited use for a forum. If you get an administrators password then you can do some damage (but if you've lifted the database already, it's unlikely that you're having problems causing damage already) - if you get a users' password it's useful if that user uses the same password for other web-sites, systems, or even banking.


----------



## TTFAdmin (Feb 1, 2012)

RS-Tom said:


> Hi John,
> 
> It wasn't just vBulletin, I know the IPB forums were also compromised (my details are in the dump for various IPB forums owned by VerticalScope) and according to various sources WordPress credentials are in it too.
> 
> Have VerticalScope confirmed to the TT forum that they aren't affected in the breach?


Hey there,

As mentioned, the breach was through a third party plugin on our vB sites. We'd be interested to know if you have information on any IPB forums we run. Could you PM us the sites you are a member of?

As for our phpBB sites, we have not made any announcements here as the breach does not affect them. However, sometime in the near future, all IPB and phpBB sites will receive the same password reset and more complex criteria as our vB sites are currently undergoing.

This is all still being dealt with by our US and Canadian legal teams, so we are unable to divulge much information at this time.

It's never a bad idea to go ahead and update your passwords anyway, if you so choose. The reset will override these, if you'd rather wait and only do it once.

Thanks everyone!

Dayle


----------



## RS-Tom (Mar 17, 2014)

Hi Dayle,

Thank you for the response. I will drop you a message with some information in.


----------

