vBulletin was breached and it made 480,000 subscribers vulnerable. To mitigate the attack, vBulletin reset the passwords for all subscribers.

A security patch was released Monday night, but ars technica suggested that from available evidence the site "contained a zero-day vulnerability that allowed hackers in the wild to gain almost complete control over websites that used the forum app."

Wayne Luke, technical support lead at vBulletin, denied it being a zero day attack and instead suggested that the attack was: "These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications."

However, Tod Beardsley, principal security research manager at Rapid7, said in a statement issued on Wednesday, that it looks like the attack on vBulletin was due to a SQL injection bug in its forum software.

Beardsley went on to say that organizations that rely on vBulletin should apply the security patch immediately. "vBulletin is a popular target, since compromising a forum site can provide an effective platform for a watering hole attack. An unpatched bug in the platform can expose downstream users to serious risk."

Source: SCMagazine