Kodi discloses data breach after forum database for sale online

The Kodi Foundation has disclosed a data breach after hackers stole the organization's MyBB forum database containing user data and private messages and attempted to sell it online.

Kodi is a cross-platform open-source media player, organizer, and streaming suite, that supports a vast array of third-party add-ons enabling the users to access content from various sources or customize their experience.

The now-shut down Kodi forum has roughly 401,000 members who used it to discuss media streaming, exchange tips, offer support, share new add-ons, and more in 3 million posts.

According to an announcement published by the platform on Saturday, hackers stole the forum database by logging into the Admin console using an inactive staff member's credentials. 

Once they gained access to the admin panel, they created and downloaded database backups multiple times in 2023.

"MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February," explains Kodi in a message to its users.

"The account was used to create database backups which were then downloaded and deleted. It also downloaded existing nightly full-backups of the database."

The Kodi team confirmed that the actual account owner did not perform these actions on the admin console, indicating that the staff member's credentials were likely stolen.

The stolen database contains all public forum posts, staff forum posts, private messages sent between users, and forum member data, including usernames, email addresses, and encrypted (hashed and salted) passwords generated by the MyBB (v1.8.27) software. 

While the passwords were hashed and salted, Kodi warns that all passwords should now be considered compromised. The admin team is planning a global password reset that will inevitably impact service availability.

"Users must assume their Kodi forum credentials and any private data shared with other users through the user-to-user messaging system is compromised," warns Kodi's announcement.

"If you have used the same username and password on any other site, you should follow the password reset/change procedure for that site."

In an update published earlier today, Kodi's administrators informed the community that they are commissioning a new forum server despite seeing no evidence or signs of compromise on the existing systems.

The forum will be redeployed using the latest available MyBB version. This comes with a heavy workload required to incorporate custom functional changes and backport security fixes, so a delay of "several days" is to be expected.

Kodi is also taking the unusual approach of sharing a list of exposed email addresses associated with forum accounts with the Have I Been Pwned data breach notification service.

Once this data is loaded in Have I Been Pwned, subscribers of the HIBP service will receive a notification if their email address was part of the exposed data. 

If you are not an HIBP subscriber, you can also enter your email address on the site to see a list of all data breaches that contain your email address.

Finally, the Kodi team plans to run penetration tests once everything is up and running again. They are calling professional auditors who could volunteer to donate some time and expertise to help them with this cybersecurity project.

Kodi data marketed on a hacking forum

The Kodi Team says they disclosed the breach after learning that hackers were selling the stolen database online.

BleepingComputer has since learned from cyberintelligence company KELA that the 'Kodi Community Forum' database was being sold in February on the now defunct Breached hacking forum.

The seller, Amius, claimed they were selling a database dumped on February 15th, 2023, containing the information for 400,314 Kodi forum members, including the information for "many iptv resellers."

The seller was accepting offers privately through Telegram, so there is no information on the cost of the database.

Breached was a popular hacking and data leak forum known for hosting, leaking, and selling data obtained from breached companies, governments, and various organizations. 

The Breached site shut down after its founder and owner, Pompompurin, was arrested by the FBI. 

While another admin known as Baphomet attempted to keep the site operational, they later shut it down out of fear that law enforcement had access to the servers.

Update 4/12/23: Added info about where database was being sold