Ubuntu Forums Hacked, 2 Million Users' Details Stolen - OMG! Ubuntu!
1.
vBulletin is the Wordpress of web forums.
2.
Dear fellow cBoarders, if you are involved in large projects that offer a plugin API and you mean to support large databases of user personal information, please, just please, do not introduce regressions into your plugin API with almost every single version you release. You are putting an extra burden into your plugin developers who may not have the time to fix or even check their code every time you do an update, but you are also forcing your plugin developers to constantly maintain their code and with that increase the opportunity for new bugs to emerge.
3.
Dear fellow cBoarders, in addition to the above, if you are involved in these type of projects also consider that hashed and salted passwords is a mundane feature these days that is both easy to implement and expected. In other words, thank you for it, but we don't consider you special. Personal identifiable information must be hashed and salted too. When putting up the scenario that your server application is eventually going to be breached, you should be fully aware that the hacker should not get access to such identifiable information as IP addresses and email accounts, especially when linked to each other. Not only are you contributing to the continued existence and growth of the spam business, but you are also risking the security of individuals living in authoritarian regimes that can now be more easily linked to their online persona.
4.
Dear fellow cBoarders, if you are instead running third-party servers, serving millions of users, know that you will be breached. Not if, but when. So, do everyone a favor and reduce the "when" window by at least keeping an eye on any security advisory notes. Because there is nothing that will look worse on you than being breached because of a KNOWN security vulnerability on a plugin that you didn't disable or patched yourself. And one day -- I hope sooner than later -- people will start taking these business to court. Put up your roadshow on the backs of third-party software all you want, but act responsibly. Don't put on your users all the damage of your irresponsible service management. They will eventually fight back. This is becoming tiring.
5.
At this rate, haveibeenpwned.com will soon list every single email address in the world.