Comodo, which bills itself as a “global leader in cybersecurity solutions,” said its forum was hacked.
The admission came in no less than a forum post, which confirmed a hacker exploited a recently disclosed vulnerability in vBulletin, a popular forum software used by Comodo. The flaw, which requires little skill to exploit, allows an attacker to remotely run malicious code on a vulnerable forum. In this case, the exploit was used to dump the entire user database.
But despite claiming in its disclosure that it takes “security very seriously” and is its “highest priority,” the company didn’t immediately patch its forum software. Four days after the patches were released, its forum was hacked.
According to the disclosure, Comodo said the hackers stole usernames, names and email addresses, as well as the user’s last IP address used to access the forum. Some social media handles were also stolen in the breach.
Comodo said it has about 245,000 registered forum users.
It’s not the most damaging breach on record, but it’s a bruising security lapse for a company that claims to be half-decent at this stuff.
This is Comodo’s second security snafu this year following another breach involving an exposed password, which allowed a security researcher access to the company’s intranet — and access to internal files and documents.