If you have ever joined a motorcycle forum, you should probably change all your passwords – right now.
This is because VerticalScope, a Canadian company that owns the vast majority of motorcycle web forums (among other types of sites), is reporting that its servers were breached back in February, resulting in data the of 45 million users being compromised.
As our friends at Canada Moto Guide pointed out, VerticalScope isn’t the most recognized name in the motorcycle industry, but they are a major player in the space with their holdings in forum communities.
Asphalt & Rubber readers will surely recognize their top web property for motorcycles though, the aptly named Motorcycle.com.
Reading the reports from the security community, it sounds like VerticalScope’s entire database, or multiple separate databases, was compromised in the breach, which includes the usernames, user IDs, email addresses, IP addresses, and hashed passwords of VerticalScope users, which are now out in the wild.
Thankfully, more personal information, and credit card information, was not included in the breach.
While that sounds like a rather benign leak of information, it should be noted that many of VerticalScope’s forums, if not all of them, use the VBulletin message forum software platform – a piece of software the A&R team has extensive knowledge with, having run some of the largest motorcycle forums in the past, ourselves.
Without geeking out too much, suffice it to say that VBulletin is a very high-maintenance (that’s the most polite phrase I can use here) software package that is riddled with bugs and security holes, especially if you don’t pay for the latest security updates.
It wouldn’t surprise us to learn that the forum software was the vector of attack for the hackers in VerticalScope’s case, and that notion seems to be supported by the type of information that’s being reported stolen in the hack.
For forum users though, this is still extremely bad news.
While VBulletin does “salt” its user passwords, it is still using an MD5 hash, which is a known broken form of hashing. MD5 was cracked many years ago, and for a while now has been considered as an insecure form of hashing.
It would take even the most novice of hackers less than a minute to brute-force the estimated 40 million passwords that were stored in this manner (~10% of the passwords were stored in a different manner, likely on non-VBulletin properties).
Given VerticalScope’s pervasive footprint in the motorcycle industry, both between its web forums and with Motorcycle.com, and the fact that the passwords can easily be compromised, we highly recommend that any user who has signed up for an account on a VericalScope forum to change their other passwords, especially if you have the bad habit of reusing passwords for other services (like your bank account, for instance).
At stake is more than just your forum identity.
Often in attacks like these, hackers sell the stolen database on the black market. With a compromised email and password list, hackers then can run the entire 45 million logins through other, more critical websites.
For example, they would take a compromised Gixxer.com login, and see if it works at any of the major banking institutions. Other attacks can target social media accounts or other services that have even more personal information, like your address, social security number, bank account, etc.
Using automated systems to brute-force these attacks, hackers can blow through a list like VerticalScope’s in days, if not sooner, depending on how much computing power they can throw behind it.
Again, we highly recommend that if you have ever joined a motorcycle forum, to update those passwords, and any login it might share elsewhere.
Even if you joined a non-VerticalScope forum in the past, it is possible that site is now one of VerticalScope’s holdings, and subject to these issues, since VerticalScope acquires many enthusiasts sites each year. For a full list of their holdings in the motorcycle industry, check here.
If you have any questions, I recommend asking them in the comments, and the A&R team will do our best to answer them, since we have more than a little experience with this type of thing and the software used in this instance.