Private Internet Access, a VPN provider based in the United States, experienced a security breach early this morning by what appears to be spammers.
They were alerted to the intrusion because the attacker inserted code into the site to prompt the forums users to "send bitcoins to an address to receive 10x that amount in return".
The attackers used a known PHP object injection vulnerability for Vanilla Forums, the forum software PIA uses. Updating the forums to current would have prevented this vulnerability from being exposed for this attack to occur.
They also accessed the SQL database of the server and likely pulled hashed forum passwords from the server. They did not disclose if other registration information such as emails were compromised in the data breach. This is significant because typically users will use the same passwords in multiple places, such as to log in to the VPN service or for their personal email.
Their response is to move to different forum software, and start a white-hat program to search for vulnerabilities in their systems with rewards that vary with the severity of the vulnerability found.
They have "advised" people to change their passwords, but did not force a password change for all users which would be standard procedure for a large-scale security breach.
This reinforces our belief that security is not all about encryption strength. 99 times out of 100 it is an OS or app vulnerability that brings down a system.
the privateinternetaccess blog