Thanks Ronbmy, I take it it was basically an SQL injection attack then. Yes, vBulletin runs on PHP / MySQL. So do my websites. This is why I want, nay, need to know. Confirmation from the "chief pilot " that the hole was vBulletin specific would be comforting.

gofer, the "how" needs to be published. This is how we build secure systems. "Security through obscurity" has been thoroughly discredited. Yes, you give people a short time to patch their systems, but then you publish.

You (I don't mean you in particular, gofer) may find it counter-intuitive, but yes, by making your security mechanisms as public as possible, you end up with better security. This has been a hard-earned lesson in the world of computers, and I believe it holds true in the real world too. The difference with computers is that once you've learnt how to hack one system, it is trivial to do as many (similar systems) as you like. On the other hand if you've worked out a method of robbing a bank or hijacking a plane, the subsequent banks and planes are still going to take quite a lot of effort. This is probably why OBL's fanatics decided to go for four at once: they knew that their actions would change the security model.

There is a frequent cry of "stop giving things away" when (airline) security is discussed on Pprune. I think this is misguided. By exposing the model to public scrutiny there is a greater chance of a flaw being discovered by a "good guy" (and reported in good time to the right people) than by a "bad guy".

Meanwhile, it is extremely naive to think that Al'BadGuy cannot find out what the security mechanisms are, either willingly from somebody that works in the industry, or unwillingly from somebody, via coercion, or by social engineering, or some other method.

End rant.