Kodi discloses data breach after its forum was compromised

Open-source media player software provider Kodi discloses a data breach after threat actors stole its MyBB forum database.

Kodi has disclosed a data breach, threat actors have stolen the company’s MyBB forum database that contained data for over 400K users and private messages.

The threat actors also attempted to sell the stolen data on the BreachForums cybercrime forum that was recently shut down by law enforcement.

“In the last 24 hours we became aware of a dump of the Kodi user forum (MyBB) software being advertised for sale on internet forums. This post confirms that a breach has taken place.” reads the advisory published by Kodi. “MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February. The account was used to create database backups which were then downloaded and deleted. It also downloaded existing nightly full-backups of the database. The account owner has confirmed they did not access the admin console to perform these actions.”

The admin team locked out the intruders by disabling the account used in the data breach and conducted an initial review of part of the infrastructure that was accessed by the attackers

The threat actors then abused the account to create database backups that were then downloaded and deleted.

The threat actor was able to access the nightly backups containing all public forum posts, team forum posts, messages sent through the user-to-user messaging system, and user information such as forum username, email address used for notifications, and an encrypted (hashed and salted) password generated by the MyBB software.

The company pointed out that although MyBB stores passwords in an encrypted format they assumed all passwords are compromised. However, the company added that it has no evidence threat actors obtained unauthorized access to the server hosting the MyBB software.

The admin team plans to perform a global password reset and is working to enhance the security of the server host and the software running on it.

In response to the incident, the company has taken the forum offline while securing its infrastructure. The Kodi pastebin and wiki sites will be not impacted. At this time, there is no time estimate for the forum server to be online again.

“We have chosen to redeploy the forum on the latest version of MyBB software. This requires us to extract and review all differences between the latest MyBB release and the fork we maintain, which includes numerous functional changes and backported security fixes.” concludes the announcement. “This is not a simple task and the forum will remain offline until it completes: we estimate several days more work. As part of the redeployment we will restrict and harden access to the MyBB admin console, revise admin roles to reduce privileges wherever possible, and improve audit logging and backup processes.”

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kodi)