After hackers stole the Kodi Foundation’s MyBB forum database, which contained user information and private messages, and made an attempt to sell it online, the organization disclosed the Kodi data breach. Open-source, cross-platform Kodi is a media player, organizer, and streaming suite that allows users to access content from various sources and personalize their viewing.
The now-defunct Kodi forum had about 401,000 users who posted 3 million messages covering various topics, including video streaming, suggestions, support, sharing new add-ons, and more. Hackers took the forum database by accessing the Admin interface with the credentials of an inactive staff member, according to a statement made by the site on Saturday.
In 2023, they repeatedly made and downloaded database backups after accessing the admin panel. “MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin dashboard twice: on February 16 and again on February 21,” claims Kodi in a statement to its subscribers.
“Database backups were produced by the account and then downloaded and erased. Moreover, the database’s nightly full backups were obtained.” The Kodi team verified that the employee’s credentials were most likely stolen because they showed no evidence of the real account owner performing these tasks on the admin console.
All staff forum posts, public forum posts, private conversations between users, and forum member information, including usernames, email addresses, and passwords produced by the MyBB (v1.8.27) software, are all included in the stolen database. It also contains encrypted (hashed and salted) passwords.
Although the passwords were hashed and salted, Kodi warns that they should all now be regarded as compromised. A global password reset planned by the admin team may unavoidably affect service availability.
According to Kodi’s release, the user-to-user messaging system and any sensitive information transmitted with other users through it may have been compromised. You should follow that site’s password reset/change instructions if you have previously used the same login and password.
Even though they have not seen any signs of penetration on the present forum servers, Kodi admins informed the community earlier today that they are setting up a new one.
The forum will be reopened using the most recent MyBB release. A lot of effort is needed to backport security updates and add tailored functional modifications, so a delay of “several days” is to be anticipated. In an unusual move, Kodi data breach also provides the Have I Been Pwned data breach notification service with a list of vulnerable email addresses linked to forum accounts.
If their email address was among the exposed data, subscribers to the ‘Have I Been Pwned’ service would be notified after loading this data. You can also input your email address on the website if you are not a subscriber to HIBP to view a list of all data breaches that include your email address.
After everything is back up and running, the Kodi team will conduct vulnerability tests. To help them with this cybersecurity effort, they are contacting qualified auditors who might be willing to volunteer their time and skills.
Hacking Forum Advertised Kodi Data
The Kodi Team claims they made the incident public after discovering hackers offered the stolen database for sale online. Since then, cyber intelligence firm KELA has informed BleepingComputer that the Kodi Community Forum database was being sold in February on the now-defunct Breached hacker forum.
Amius, the vendor, stated they were offering a database that had been leaked on February 15, 2023, and that it contained the contact information for 400,314 Kodi forum users, including “many iptv resellers.”
The cost of the database is unknown because the seller was receiving private offers through Telegram.
Breached was a well-known hacking and information-disclosure site that was well-known for hosting, disclosing, and reselling information gained from compromised businesses, governments, and other organizations.
Following Pompompurin’s arrest by the FBI, the Breached website’s founder and proprietor, it was shut down. They then pulled it down out of concern that law enforcement had access to the servers, despite an attempt to keep it running by another admin known as Baphomet.
Conclusion
Following the theft of the company’s MyBB forum database, which contained user information and private messages by threat actors. Kodi, a developer of open-source media player software, has acknowledged a data breach. Also, the unidentified threat actors tried to sell the data dump containing 400,635 Kodi users on the now-defunct BreachForums black market for cybercrime. MyBB admin logs reveal that on February 16 and February 21, respectively, the account of a dependable but presently inactive member of the forum admin team was used to access the web-based MyBB admin interface. After creating database backups that were later downloaded and deleted, the threat actors exploited the account improperly. Also downloaded were the database’s nightly complete backups. The disputed account has already been disabled.
Every team forum post, every public forum post, every message sent through the user-to-user messaging system, user data like forum usernames, email addresses used for notifications, and an encrypted (hashed and salted) password created by the MyBB software were all included in the nightly backups. According to the Kodi data breach, there is no proof that threat actors could get unauthorized access to the MyBB software server. It was once more stressed that the legitimate account owner did not carry out any evil deeds on the admin interface, raising the possibility of credential theft. The maintainers announced that efforts are being made to start a worldwide password reset out of an abundance of caution. Users are encouraged to reset their passwords if they have already been used on another website. The Kodi forum has been removed in the interim, and the firm stated that it is currently commissioning a new server, a process that should take “several days.” Also, the forum will be redeployed using the most recent MyBB software.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.