Hackers Breach ZoneAlarm's Forum Site — Outdated vBulletin to Blame

ZoneAlarm, an internet security software company owned by Israeli cybersecurity firm Check Point Technologies, has suffered a data breach exposing data of its discussion forum users, the company confirmed The Hacker News.

With nearly 100 million downloads, ZoneAlarm offers antivirus software, firewall, and additional virus protection solutions to home PC users, small businesses, and mobile phones worldwide.

Though neither ZoneAlarm or its parent company Check Point has yet publicly disclosed the security incident, the company quietly sent an alert via email to all affected users over this weekend, The Hacker News learned.

The email-based breach notification advised ZoneAlarm forum users to immediately change their forum account passwords, informing them hackers have unauthorizedly gained access to their names, email addresses, hashed passwords, and date of births.

Moreover, the company has also clarified that the security incident only affects users registered with the "forums.zonealarm.com" domain, which has a small number of subscribers, nearly 4,500.

"This [forum] is a separate website from any other website we have and used only by a small number of subscribers who registered to this specific forum," the email notification reads.

"The website became inactive in order to fix the problem and will resume as soon as it is fixed. You will be requested to reset your password once joining the forum."

Hackers Exploited Recent vBulletin 0-Day Flaw

Upon reaching out to the company, a spokesperson confirmed The Hacker News that attackers exploited a known critical RCE vulnerability (CVE-2019-16759) in the vBulletin forum software to compromise ZoneAlarm's website and gain unauthorized access.

For those unaware, this flaw affected vBulletin versions 5.0.0 up to the latest 5.5.4, for which the project maintainers later released patch updates, but only for recent versions 5.5.2, 5.5.3, and 5.5.4.
The Hacker News found that, surprisingly, the security company itself was running an outdated 5.4.4 version of the vBulletin software until last week that let attackers compromise the website easily.

It's the same then-zero-day vBulletin exploit that an anonymous hacker publicly disclosed in late September this year, which, if exploited, could allow remote attackers to take full control over unpatched vBulletin installations.

Moreover, a week after that, the same flaw was also exploited by unknown attackers to hack the Comodo forum website, which exposed login account information of over nearly 245,000 Comodo Forums users.

Though the ZoneAlarm team learned about the breach just late last week and immediately informed affected users, it's unclear exactly when the attackers breached the website.
"ZoneAlarm is conducting an investigation into the matter. We take pride in the fact that we took a proactive approach once this incident was detected and within 24 hours and alerted the forum members," the company's spokesperson told the Hacker News.

Since the ZoneAlarm forum website is down at the time of writing, users would not be able to change their account password on the forum at this moment.

But if you are one of the affected users, you are also recommended to change your passwords for any other online account where you use the same credentials, and do the same for the ZoneForum website as soon as the site goes live again.