Social Engineered site falls prey to an XSS vulnerability; leaks over 85,000 unique email addresses

• The leaked email addresses are linked to 55,000 forum account holders.
• The exposed data also includes usernames, IP addresses, and passwords stored as salted MD5 hashes.

The 'Art of Human Hacking' site Social Engineered has suffered a data breach due to a security hole in 'My BB' open-source software. The incident has enabled the hackers to steal some crucial details from the site and publish them on a rival hacking forum.

What data is published?

According to a report from 'Have I Been Pwned', the data breach occurred on June 13, 2019. The details compromised from the Social Engineered forum includes 89,392 unique email addresses. These email addresses are linked to 55,000 forum account holders. The exposed data also includes usernames, IP addresses, and passwords stored as salted MD5 hashes.

Who is to be blamed?

In a blog post, the owner of Social Engineered - who goes by the nickname of Snow101 - revealed that the breach occurred due to a cross-site scripting vulnerability in 'MyBB'.

MyBB is open-source, free software that is used to create and maintain forums. The XSS vulnerability in the software, if exploited, can permit attackers to gain full access to a target account.

If a malicious message containing JavaScript code is sent to an administrator or published on a MyBB forum, then this can lead to the full remote takeover of a board.

What action has been taken?

The vulnerability has been patched in MyBB version 1.8.21. Social Engineered has now shifted over to the XenoForo platform in order to prevent such data breaches in the future. The forum has also asked its users to change their passwords.