openSUSE Forums were hijacked today, reports The Hacker News. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited the vulnerability in vBulletin 4.2.1 software which SUSE uses to host the forum. vBulletin is a proprietary forum software. The good news is that sensitive data like user passwords has not been compromised, unlike the breach that we saw with Target.
The Hackernews wrongly reported that the cracker gained full access to users account, including password. The openSUSE team has denied that the users passwords were compromised by this cracker.
Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.
However, some user data is stored in the local database for convenience, in the case of the forum the user email addresses. Those the hackers had access too and we’re very sorry for this data leak!
While as an openSUSE user it’s good to see that none of the user-data was compromised it’s shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary sign-in solutions from NetIQ.
They need to move to some open source technologies.