vBulletin Vulnerability: Passwords Shuffled for Some Users

[Jason Dunn]

If you're trying to log into our forums and having trouble, here's why: there are some individuals going around and running scripts against vBulletin installs, specifically looking to hijack user accounts where the username and password are the same. These people then use these hijacked accounts to send our spam private messages and email messages (I've turned off the email function on our board). I was shocked to learn that we have 559 users who have done exactly that: chosen their password to match their user-name. Not only is this bad security, it leaves the door open for hacker-types to get into our board, pretending to be real users, and cause problems. To prevent this, what we've done is randomize the passwords for the 559 users who were impacted by this.

If you're one of these users, all you need to do is use the Lost Password Recovery Form to have the password sent to you - which you'll then want to reset the password to something else...something other than your user name of course. If you have any trouble with this process, please contact me and I'll manually reset your password. I apologize for any hassle this may cause, but this step was necessary to protect the security of all our users.

[Jason Dunn]

If you're trying to log into our forums and having trouble, here's why: there are some individuals going around and running scripts against vBulletin installs, specifically looking to hijack user accounts where the username and password are the same. These people then use these hijacked accounts to send our spam private messages and email messages (I've turned off the email function on our board). I was shocked to learn that we have 559 users who have done exactly that: chosen their password to match their user-name. Not only is this bad security, it leaves the door open for hacker-types to get into our board, pretending to be real users, and cause problems. To prevent this, what we've done is randomize the passwords for the 559 users who were impacted by this.

If you're one of these users, all you need to do is use the Lost Password Recovery Form to have the password sent to you - which you'll then want to reset the password to something else...something other than your user name of course. If you have any trouble with this process, please contact me and I'll manually reset your password. I apologize for any hassle this may cause, but this step was necessary to protect the security of all our users.

[Rocco Augusto]

Are we going to prevent users from using their username as their password in the future?

[Jason Dunn]

Quote:

Originally Posted by Rocco Augusto

Are we going to prevent users from using their username as their password in the future?

At the moment vBulletin lacks any such feature...which completely blows my mind. I'm hoping they'll release a patch in the near future to address this problem.

[Rocco Augusto]

Quote:

Originally Posted by Jason Dunn

At the moment vBulletin lacks any such feature...which completely blows my mind. I'm hoping they'll release a patch in the near future to address this problem.

I hope so. Because if there is one thing I learned from my years of using the Internet, at least one of those 500+ people will try to change their password back to their username