Kodi has disclosed a data breach of its user forum software earlier this week. The team became aware of the hack after a dump of the Kodi user forum was offered for sale on the darknet.
Initial investigation revealed that the attacker breached a forum admin account of an inactive but trusted, member, and managed to access the admin console twice. This happened in mid-February of 2023. The admin account was used to create backups of the databases, which were then downloaded.
Kodi disabled the account in question to prevent future access to the system. It became aware of the incident. It also reported the incident to the UK police and notified the UK Information Commissioner’s Office.
The downloaded database backups have user data, including forum username, email address used for notifications, and an encrypted (hashed and salted) password generated by the MyBB (v1.8.27) software.
Users of the forum should assume that their “Kodi forum credentials and any private data shared with other users through the user-to-user messaging system is compromised.”
While passwords are encrypted, Kodi considers them compromised and thus burned. Kodi announced the following plans to deal with the breach:
- All exposed email data will be shared with Have I Been Pwned, a site to check, whether an email address has been part of a breach.
- Kodi plans to perform a global password reset. This resets all passwords and prevents further compromise or access to personal data. Kodi forum users need to change passwords at other services, if they re-used the password.
- The latest version of the forum software is redeployed. It means comparison with the old version. The forum will remain offline for a few days at least. Access to the admin console will be further restricted and hardened.
The global password reset will likely happen once the forums go back online. Users will be informed by email about the reset, and they need to set a new password on the first visit to the forum.
The latest release is Kodi 20, was not affected by the breach.
