Kodi is an open source media player developed by the Kodi Foundation (formerly known as XBMC, renamed Kodi since version 14.0), Kodi can run on a variety of operating systems and hardware platforms. It allows users to play videos, music, podcasts and various common media files stored in local or network storage devices.
The software was originally intended to run on the Xbox, hence the name XBMC. Later came native versions for Android, Linux, BSD, macOS, iOS, and Windows operating systems.
The Kodi team confirmed that a data breach occurred on their user forums, affecting the personal data of more than 400,000 users, which included names, email addresses, IP addresses, and passwords, as well as information users sent via the messaging system.
An investigation by the Kodi team found that the Kodi User Forum (MyBB) management console was accessed twice on February 16 and February 21 of this year. The leaked data was accessed using the account of a trusted but currently inactive member of the forum admin team, and as such, the Kodi team saw nothing unusual during this time.
The data breach was discovered in the end because team members became aware of the issue when they discovered the Kodi forum user data being sold on other Internet forums.
Kodi has now disabled the accounts used in the data breach and conducted an initial review of the team's infrastructure. While passwords on the forum are stored in an encrypted format, the team said they must assume all passwords have been compromised.
The Kodi team is investigating how best to perform a global password reset and how best to guarantee the integrity of the server host and associated software. The forum server is currently down, which will also affect the Kodi pastebin and wiki sites. In order to thoroughly investigate and fix the problem, they have no way to give a timetable for the forum server to be back online for the time being.
In order to ensure the security of user information, it is recommended that users who have used the same username and password on any other website reset their password as soon as possible to avoid being hit.