No announcement yet.

Security incident with Miva's community forum software

  • Filter
  • Time
  • Show
Clear All
new posts

    Security incident with Miva's community forum software

    Miva’s forums operate using a commercial software application called vBulletin. In 2019 an anonymous entity discovered a vBulletin vulnerability, and then released working exploit code to the public without first contacting the authors of vBulletin to allow them to produce a patch. The following article contains more information about this: LINK

    Access to our forum was removed several hours after this incident began, but we have been made aware that encrypted password data from forum accounts had been obtained in the hours between the vulnerability publication and our disabling access. Members of our forum who’d not changed passwords for several years would have had them stored in encrypted form, where it may be possible for an attacker to decrypt the data. Members who had changed passwords more recently would have had their encrypted password removed and replaced by a secure hash, as vBulletin ceased storing passwords in later versions.

    Forum member accounts are self-contained in the forum software and not used in any other way by Miva, Miva systems, applications, or staff. Access to the forum does not enable access to any other Miva system, service, or application. The system where the forum software is housed is exclusive to that purpose and was also replaced following the incident.

    Miva has taken the action of locking any forum account which still held an encrypted password, and any account that has not had a password change since September of 2019. The lost password process will allow active forum users to reset to a new password via email link.

    As a security best practice, forum members should utilize a password unique to our forums, but if that had not been the case, our recommendation is that you change the password for any other instance where that same password had been used.
    David Hubbard
    [email protected]