Media streaming software vendor Kodi has informed its forum users that hackers using the account of an inactive administrator have exfiltrated user data from its servers.
The stolen data includes posts that users published on the forums, direct messages they exchanged on the platform, email addresses, and passwords in non-cleartext form.
Based on stats shared by Kodi recently, its forums had 401,000 registered members and roughly three million posts. Unfortunately, all that data is already advertised for sale on hacker forums, and Kodi’s admins confirmed that the shared data samples are authentic.
Since the breached server is based in the United Kingdom, the ICO (Information Commissioner’s Office) was informed of the breach, and a report was filed with the UK police.
Upon further investigation of the security incident, Kodi’s team discovered that hackers leveraged the account of an inactive administrator to access the MyBB (forum software) admin console twice, on February 16 and on February 21.
The intruders created database backups which they then exfiltrated to their systems and subsequently deleted to wipe their attack trace. Moreover, they also downloaded all existing nightly full-backups, which contained all forum posts, messages, usernames, emails, and passwords that have been hashed and salted.
This means that the user passwords have been encrypted with a random combination of numbers and letters that make cracking them harder, so even if the hackers hold those passwords, they’re not immediately usable.
Kodi says that forum users should still treat their credentials as compromised and reset their passwords on all sites and online services where they might be using the same username/email and password.
The media streaming platform will roll out a large-scale password resetting action once the new server is ready. In an update shared on April 11, 2023, the Kodi team informed that the new forum server is being commissioned and will run the latest MyBB version. However, the team says it will take several more days before everything is ready again.
The wiki and paste servers will also be moved to new infrastructure out of an abundance of caution, but the restoration of those systems will be treated with a different priority.
Security-wise, Kodi has promised to inspect and pentest everything post-commissioning. On that front, the volunteer-ran project invites professional auditors to join the effort to identify any security gaps that need fixing.
If you had an account at Kodi’s forums, make sure to reset your passwords on all platforms and remain vigilant for incoming emails that request additional information. It is often the case that threat actors use the very data breach that enabled them to acquire the personal information of their targets as a bait theme to acquire more information from exposed users.
Hi Heinrich,
Great article!
It sounds like Kodi has been open where they can and this sounds they have been fairly timely.
The inactive administrator account is a bit questionable but at least the passwords were encrypted.
We have another matter here of unencrypted data at rest.
I don’t know why they just don’t encrypt it all.
What would be the suggest reason for this so frequently occurring?
Kind regards,
Quite expected of course.
Common sense says never to use a “good” email address for forums. Use one that you don’t have any issue with should you get hacked. Better yet, use 10minute mail kind of addresses as long as the site supports it.