The Kodi Foundation has disclosed a data breach after hackers stole the organization’s MyBB forum database containing user data and private messages and attempted to sell it online.

Kodi is a cross-platform, open-source media player, organizer, and streaming suite, which supports a wide range of third-party add-ons that allow users to access content from various sources or customize their experience.

The now closed Kodi forum has around 401,000 members who have used it to discuss media streaming, exchange tips, offer support, share new add-ons and more in 3 million posts.

According to an announcement posted by the platform on Saturday, hackers stole the forum’s database by logging into the admin console using the credentials of an inactive staff member.

Once they got access to the admin panel, they created and uploaded database backups several times in 2023.

“MyBB admin logs show that the account of a trusted but currently inactive member of the forum admin team was used twice to access the MyBB web admin console: February 16 and again on February 21,” Kodi explains in a message to its users. .

“The account was used to create database backups which were later uploaded and deleted. It also uploaded existing nightly full backups of the database.”

The Kodi team confirmed that the real owner of the account did not perform these actions on the admin console, indicating that the staff member’s credentials were likely stolen.

The stolen database contains all public forum posts, staff forum posts, private messages sent between users, and forum member data, including usernames, email addresses, and encrypted passwords (hash and salt) generated by MyBB software (v1.8.27).

While passwords were hashed and salted, Kodi warns that all passwords should now be considered compromised. The administration team is planning a global password reset which will inevitably have an impact on the availability of the service.

“Users should assume that their Kodi forum credentials and any private data shared with other users through the user-to-user messaging system are compromised,” warns Kodi’s announcement.

“If you used the same username and password on another site, you should follow the password reset/change procedure for that site.”

In an update released earlier today, the Kodi admins informed the community that they were commissioning a new forum server despite there being no evidence or signs of compromise on existing systems.

The forum will be redeployed using the latest available version of MyBB. This comes with a heavy workload needed to incorporate custom functional changes and backported security fixes, so a “several days” delay is to be expected.

Kodi also takes the unusual approach of sharing a list of exposed email addresses associated with forum accounts with the Have I been pwned data breach notification service.

Once this data is loaded into Have I Been Pwned, subscribers to the HIBP service will receive a notification if their email address was among the exposed data.

If you are not a HIBP subscriber, you can also enter your email address on the site to see a list of all data breaches that contain your email address.

Finally, the Kodi team plans to perform penetration testing once everything is up and running again. They are appealing to professional auditors who could volunteer to give time and expertise to help them with this cybersecurity project.