Notice of security breach on Ubuntu Forums

I like the direct communication style of this document.

Although they obviously failed in their security efforts, I think, they did a good job in communicating the incident. No beating around the bush.

<p><pre><code> They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted). </code></pre> Is that a session token they are talking about? What part of the OpenID protocol would involve saving a so-called &quot;password&quot; in the users table which is really just a &quot;random string&quot;, but which was also hashed and salted?<p>Ubuntuforums does use Ubuntu One for SSO, there should be no &quot;passwords&quot; at all in the table, so I&#x27;m not quite sure what to make of that paragraph. Typically session tokens are not salted and hashed, although you can actually do that do avoid having to revoke them after a breach.

Not another one? Didn&#x27;t they get p0wned a few years ago?

&gt; Hardening<p>&gt; We’ve installed ModSecurity, a Web Application Firewall, to help prevent &gt; similar attacks in the future.<p>&gt; We’ve improved our monitoring of vBulletin to ensure that security patches are applied promptly.<p>What? They _just_ added a firewall in their forum? What were they thinking all these years then? Either none of their engineers thought about adding an extra layer of security to this website during all these years, or the chain of command in this company is so strict that any suggestion from their engineers is dismissed until a security breach is detected. What a shame, first Linux Mint, and now these guys.