[BreachExchange] Social Engineering Forum Suffers Major Breach

[Destry Winant]

https://www.infosecurity-magazine.com/news/social-engineering-forum-suffers-1-1/

An online forum focused on discussion of all things social engineering
has been breached, with the details of tens of thousands of account
holders compromised.

Social Engineered administrator “Snow101” explained to users in a post
late last week that the hackers exploited a vulnerability in open
source forum software MyBB.

The admin claimed they had been forced to move the platform over to
XenForo, asking users to chip in to help pay for the migration.

The breach itself happened on June 13, 2019 and compromised 89,392
accounts, according to information on HaveIBeenPwned.

It claimed the details were published on a rival hacking forum, and
included around 89,000 unique email addresses linked to 55,000 users
and other tables in the same database.

“The exposed data also included usernames, IP addresses, private
messages and passwords stored as salted MD5 hashes,” it added.

Tripwire vice president, Tim Erlin, warned that, ironically enough,
email addresses are often used in follow-on phishing raids and other
social engineering attacks.

“This type of sensitive data can be used to the benefit of the
attacker in a variety of ways, including identity theft and
impersonation,” he added.

“MD5 is not a secure algorithm for hashing passwords. It has
well-known flaws and is generally understood to be insufficient for
protecting sensitive data of any kind."

However, the very nature of the forum may well mean hackers have a
hard time monetizing the data, Erlin claimed.

"If you were going to choose a user base that’s especially difficult
to target with phishing and other social engineering-based attacks,
this would certainly be near the top of the list,” he said.