Dear all,

In January and February 2017, 126 vBulletin forums were hacked. The old Zarafa forum was one of these forum. As a result, usernames, hashed passwords and email addresses were made public and used by spammers to send emails to. While the forum software in use only stores hashed version of the passwords, and not the actual passwords themselves we forced a password reset for all users as an additional security measurement. Unfortunately, we cannot remove the list with email addresses that was shared back in March. However, to prevent further incidents we applied patches provided by the author of the forum software to address the issue shortly after we became aware of these (March 16 & 17). Additionally since the Zarafa software has reached end of life in april we have also deactivated new user registrations back in April.

To inform the Zarafa forum users we sent the following email:

Dear Zarafa forum user,

As you may have noticed the Zarafa forum has been in maintenance mode for the last day. The system was put into maintenance mode after we discovered the installation has been targeted with a SQL injection attack where the attacker potentially retrieved email addresses, usernames and passwords.

The vBulletin software was updated to the latest version (which is not vulnerable) and we have forced all users to change their passwords - this means you will be asked to do so the next time you visit the forum.

If you have used the password for the Zarafa forums for any other accounts or services, please make sure you also change your password there.

Our sincere apologies for the inconvenience!

Kind regards,

Zarafa Community Forum Team
We also reported the hack to the Dutch Data Protection Authority.

We encourage everyone that still uses Zarafa to take a look at Kopano. The folks at Kopano also provide a forum (, which due to its more modern architecture is easier to maintain as well.

If you have any questions about this hack, please contact us at [email protected].

Kind regards,

The Zarafa Team