Im registered with https://haveibeenpwned.com and this morning I had an email to say my freedc email address had been in a vbulletin database leak from January.

Just though I had better let you know.

Ian

yeah, I got that too. Looks like vbulletin have patched it, so I've updated to latest code today.

All passwords are salted nad hashed in the database as far as I know with vbulletin so little chance they are out there, but email addresses will be.

Thanks, home INFOSEC (wife) just alerted me to this.

She wants to know what hashing algorithm is used, apparently to keep things difficult for the newish GPU based crackers, it should be something like SHA-512

You'll have to go look at the vbulletin websites to find that info I'm afraid. I just use their software.

You'll have to go look at the vbulletin websites to find that info I'm afraid. I just use their software.

Apparently their algorithm is really weak. One hobbyist was able to crack ~135k hashed/salted passwords in a day without really trying hard, just using his normal desktop machine (admittedly with a high end GPU)

https://www.troyhunt.com/data-breaches-vbulletin-and-weak/