Malwarebytes Forum Hacked: Yes, It can happen to anyone

Just a few minutes ago, I received the following letter in my email:

“geocrasher,

I’m writing to let you know that on November 10th a vulnerability in our
forum software allowed a hacker to gain access to the server hosting our
community. We have no evidence of any personal data being stolen (nor do
we store any on our forums!) but as a precautionary measure we are
forcing all users to reset their passwords. The next time you attempt to
log in, please select the “Forgot Your Password?” link below and follow the steps.

https://forums.malwarebytes.org/index.php?app=core&module=global&section=lostpass

We’ve also migrated our community away from our servers and onto a
service hosted by Invision Power Board. They know their software best
and as vulnerabilities are discovered, they can patch them more quickly.

I personally apologize for the inconvenience and if you have any
questions, do not hesitate to contact me directly at
mkleczynski@malwarebytes.org.

Marcin”

There’s several lessons that can be learned in this:

1) Never use the same password twice. The same password used at a hacked site, used elsewhere, is asking for your accounts to be compromised. I’ve seen it happen.

2) Keep your site software up to date. Whether you’re using Invision Power Board, WordPress, Magento, Drupal, or some other solution: Keep it updated!

3) If you can’t properly manage your security, hire someone who can

Marcin fessed up here, which is nice. But it never should have happened. You’d think that a company like Malwarebytes would keep things updated, but phrases like “They know their software best
and as vulnerabilities are discovered, they can patch them more quickly” lead me to believe that this breach was due to a vulnerability that Malwarebytes didn’t patch quick enough, even though the updates were available.

So if it can happen to Malwarebytes, it can happen to you. Keep your software updated!