Kodi forum database hack exposes data of 400,000 users

Hackers exploited inactive staff member's credentials

Kodi data breach

Kodi, the cross-platform open-source media player and streaming suite, has recently disclosed a data breach that occurred in February 2023. Hackers gained unauthorized access to the organization's MyBB forum database, which contained user data and private messages, and attempted to sell it online.

Approximately 401,000 members were impacted, as well as the 3 million posts made on the now-shut down forum. In this article, we will delve into the details of the breach, including how it occurred, what data was exposed, and the steps Kodi is taking to address the situation.

Kodi revealed that the data breach occurred after a hacker exploited the credentials of an inactive staff member to log into the MyBB admin console. The hacker accessed the admin panel twice on February 16 and 21, 2023, and created and downloaded multiple database backups.

The MyBB admin logs showed that the account of the staff member, who was trusted but inactive at the time, was used for these actions. Kodi confirmed that the actual account owner did not perform these actions, indicating that the staff member's credentials were likely stolen. The blog post said:[1]

MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February. <…>The account owner has confirmed they did not access the admin console to perform these actions.

Exposed passwords and other discussion contents

The stolen database contained various data types, including all public forum posts, staff forum posts, private messages sent between users, and forum member data such as usernames, email addresses, and encrypted (hashed and salted) passwords generated by the MyBB software.[2]

While the passwords were hashed and salted, the company has warned that all passwords should be considered compromised. In response to the breach, Kodi's admin team is planning a global password reset, which may impact service availability.

Users have been advised to assume that their forum credentials and any private data shared with other users through the user-to-user messaging system have been compromised. Additionally, users who have used the same username and password on other sites have been urged to change their passwords on those sites as well:[1]

If you have used the same username and password on any other site, you should follow the password reset/change procedure for that site. Once the Kodi forum comes back online we will provide instructions on how to complete a reset of your Kodi forum password.

Sold on the underground forums

The data breach was discovered after Kodi learned that the stolen database was being sold online by a hacker. Cyberintelligence company KELA revealed that the database was being offered for sale on the now-defunct Breached hacking forum in February 2023.[3]

Using the name “Amius,” the seller claimed to have a database dump containing information for 400,314 Kodi forum members, including “many iptv resellers.” The seller accepted offers privately through Telegram, making it difficult to determine the cost of the database.[4]

Breached was a well-known hacking and data leak forum that was used to host, leak, and sell data obtained from breached companies, governments, and organizations. The forum was shut down after its founder and owner, “Pompompurin,” was arrested by the FBI.

Measures Kodi taken

In response to the data breach, Kodi has taken several measures to mitigate the impact on its users. Firstly, the Kodi team has shut down the forum and is rebuilding it from scratch using the latest available version of MyBB software, incorporating custom functional changes and backporting security fixes. However, this process is expected to take several days, which may disrupt service availability for forum users.

Kodi has also taken the unusual step of sharing a list of exposed email addresses associated with forum accounts with the Have I Been Pwned data breach notification service.

This will enable service subscribers to be notified if their email address was part of the exposed data. Even if users are not subscribed to Have I Been Pwned,[5] they can still enter their email address on the site to check if it has been involved in other data breaches.

Furthermore, the Kodi team has announced plans to conduct penetration tests once the forum is up and running again. They are seeking professional auditors who can volunteer their time and expertise to help with this cybersecurity project.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions