The Kodi Foundation has disclosed a data breach after hackers stole the organization’s MyBB forum database containing user data and private messages and attempted to sell it online.
Kodi is a cross-platform open-source media player, organizer, and streaming suite, that supports a vast array of third-party add-ons enabling the users to access content from various sources or customize their experience.
The now-shut down Kodi forum has roughly 401,000 members who used it to discuss media streaming, exchange tips, offer support, share new add-ons, and more in 3 million posts.
According to an announcement published by the platform on Saturday, hackers stole the forum database by logging into the Admin console using an inactive staff member’s credentials.
Once they gained access to the admin panel, they created and downloaded database backups multiple times in 2023.
“MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February,” explains Kodi in a message to its users.
“The account was used to create database backups which were then downloaded and deleted. It also downloaded existing nightly full-backups of the database.”
The Kodi team confirmed that the actual account owner did not perform these actions on the admin console, indicating that the staff member’s credentials were likely stolen.
The stolen database contains all public forum posts, staff forum posts, private messages sent between users, and forum member data, including usernames, email addresses, and encrypted (hashed and salted) passwords generated by the MyBB (v1.8.27) software.
While the passwords were hashed and salted, Kodi warns that all passwords should now be considered compromised. The admin team is planning a global password reset that will inevitably impact service availability.
“Users must assume their Kodi forum credentials and any private data shared with other users through the user-to-user messaging system is compromised,” warns Kodi’s announcement.
“If you have used the same username and password on any other site, you should follow the password reset/change procedure for that site.”
In an update published earlier today, Kodi’s administrators informed the community that they are commissioning a new forum server despite seeing no evidence or signs of compromise on the existing systems.
The forum will be redeployed using the latest available MyBB version. This comes with a heavy workload required to incorporate custom functional changes and backport security fixes, so a delay of “several days” is to be expected.
Kodi is also taking the unusual approach of sharing a list of exposed email addresses associated with forum accounts with the Have I Been Pwned data breach notification service.
Once this data is loaded in Have I Been Pwned, subscribers of the HIBP service will receive a notification if their email address was part of the exposed data.
If you are not an HIBP subscriber, you can also enter your email address on the site to see a list of all data breaches that contain your email address.
Finally, the Kodi team plans to run penetration tests once everything is up and running again. They are calling professional auditors who could volunteer to donate some time and expertise to help them with this cybersecurity project.