Full Report
In around 2011, the RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data. The vBulletin-based service exposed 223k unique email addresses along with usernames, IP addresses and salted MD5 password hashes.
Analysis Summary
# Incident Report: RuneScape Boards (RSBoards) Data Breach
## Executive Summary
In approximately December 2011, the RuneScape Boards (RSBoards) forum platform suffered a significant data breach resulting in the compromise of over 222,000 user accounts. The incident involved the exfiltration of sensitive user information from a vBulletin-based database, which was subsequently redistributed in historical credential leaks.
## Incident Details
- **Discovery Date:** Approximately March 2024 (Re-confirmed via aggregation services)
- **Incident Date:** December 2011
- **Affected Organization:** RuneScape Boards (RSBoards)
- **Sector:** Gaming / Online Community
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Circa December 2011
- **Vector:** Likely exploitation of vulnerabilities in the vBulletin forum software.
- **Details:** Attackers gained unauthorized access to the underlying database of the RSBoards community.
### Lateral Movement
- **Details:** Not explicitly disclosed; however, access likely involved moving from the web server interface to the backend SQL database hosting forum member tables.
### Data Exfiltration/Impact
- **Details:** Attackers successfully exfiltrated a database export containing records for 222,810 unique users. The data remained in circulation and was later identified in a massive "corpus" of redistributed historical data.
### Detection & Response
- **Detection:** The breach was identified long after the fact through the analysis of leaked data dumps and archival by breach notification services.
- **Response Actions:** Public notification via services like "Have I Been Pwned" to prompt password resets for users still utilizing the compromised credentials.
## Attack Methodology
- **Initial Access:** Exploitation of vBulletin software vulnerabilities (common in the 2011 era).
- **Persistence:** Unknown; likely a "smash and grab" database export.
- **Privilege Escalation:** Likely through SQL injection or administrative account compromise.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Access to salted MD5 password hashes within the database.
- **Discovery:** Database schema enumeration.
- **Lateral Movement:** Web-to-Database server.
- **Collection:** Automated export of the `user` table.
- **Exfiltration:** Transfer of data to external attacker-controlled infrastructure.
- **Impact:** Permanent loss of data confidentiality for 223k users.
## Impact Assessment
- **Financial:** No direct financial loss reported; indirect costs related to user churn and community dissolution.
- **Data Breach:** Compromise of 222,810 accounts including:
- Email addresses
- IP addresses
- Usernames
- Salted MD5 password hashes
- **Operational:** Disruption to forum services; potential account takeovers (ATO) across other platforms due to credential stuffing.
- **Reputational:** High impact on community trust, particularly for a forum dedicated to gaming security and discussion.
## Indicators of Compromise
- **Network indicators:** N/A (Historical incident).
- **File indicators:** Database dumps titled under "RSBoards" or "RuneScape Boards."
- **Behavioral indicators:** Large-scale extraction of SQL data via web ports.
## Response Actions
- **Containment:** Historical information suggests the original community merged or ceased operations over time.
- **Eradication:** Password reset mandates (post-discovery).
- **Recovery:** Integration into breach notification databases to alert affected individuals.
## Lessons Learned
- **Weak Hashing Algorithms:** Salted MD5, while better than plain text, was already becoming vulnerable to high-speed cracking by 2011.
- **Software Lifecycle:** Third-party boutique forum software (vBulletin) requires rigorous patching and security hardening.
- **Data Persistence:** Breaches from over a decade ago remain relevant today because users reuse passwords across multiple services.
## Recommendations
- **Modern Hashing:** Implement robust password hashing (e.g., Argon2 or bcrypt) instead of MD5.
- **Multi-Factor Authentication (MFA):** Deploy TOTP or FIDO2-based authentication to mitigate the damage of leaked credentials.
- **WAF Deployment:** Utilize a Web Application Firewall to block common forum exploits like SQL injection and Cross-Site Scripting (XSS).
- **Credential Monitoring:** Use threat intelligence services to proactively identify when company or user data appears in "combo lists" or public dumps.