The Kodi Foundation learned that a dump of the Kodi user forum, MyBB software, was being sold on online forums.
Kodi is a multi-platform, open-source media player, manager, and streaming suite. It supports a wide range of third-party add-ons, which give users access to content from numerous sources and let them personalize their viewing.
A total of 3 million posts were made on the Kodi forum by its 401,000 users, who used it to talk about media streaming, share new add-ons, offer help, and more.
Attackers Stole the Forum Database by Logging into the Admin Console
Reports say MyBB admin logs reveal that on February 16 and February 21, the web-based MyBB admin console was accessed using the account of a reliable but presently inactive member of the forum admin team.
Database backups were made using the account, downloaded, and then removed. It also downloaded the database’s existing nightly full backups. The account owner indicated they did not perform these operations using the admin console.
The admin team disabled the compromised account after this incident and started to investigate.
“The nightly full backups that were downloaded expose all public forum posts, all team forum posts, all messages sent through the user-to-user messaging system, and user data including forum username, email address used for notifications, and an encrypted (hashed and salted) password generated by the MyBB (v1.8.27) software”, according to Kodi Forum Data Breach Notification.
Kodi has not yet discovered proof of unauthorized access to the MyBB software server.
Kodi cautions that even if the passwords were hashed and salted, they should all now be regarded as compromised. The admin team is planning a global password reset that may unavoidably affect service availability.
“Users must assume their Kodi forum credentials and any private data shared with other users through the user-to-user messaging system is compromised,” suggest Kodi.
“If you have used the same username and password on any other site, you should follow the password reset/change procedure for that site.”
Setting Up a New Forum Server
The administrators of Kodi told the community earlier today that they are setting up a new forum server even though they have not detected any indications of intrusion on the current ones.
With the most recent MyBB release, the forum will be relaunched. A delay of several days is expected because there is a lot of work to backport security fixes and incorporate customized functional modifications.
Also, Kodi is adopting the uncommon step of providing the Have I Been Pwned data breach reporting service with a list of exposed email addresses linked to forum accounts.
Subscribers of the Have I Been Pwned service will be notified if their email address was among the exposed data once this data has been placed into HIBP. If you don’t subscribe to HIBP, you may still input your email address to view a list of all data breaches that include it.
“The admin team would like to conduct formal penetration testing once the forum and other services are back online,” Kodi said.