Gotta be careful in the online world
The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.
Mm, this was a very curious case as phpBB basically spent the first part of their announcement in damage control mode. the first thing they said was that their servers weren't hacked but "some random third party" which is complete bullshit as Cloudflare operates by intercepting requests to their beloved "phpBB.com".
The way that every normal person uses Cloudflare is such that if the Cloudflare account is compromised, then well, the person can get all of your admin credentials and probably run off with your database, depending if your software exposes that.
That silly sentence will basically mislead anyone who is just in there to quickly check the announcement out, etc.
Of course, if we want to use lawyer talk, they could probably twist phrases here and there, and if you wanted to get technical, it might even be technically correct as their physical servers were never touched, but that's a special level of stupid.
What they should have done was kept it professional and just explained what happened. Like mature adults. MyBB got hacked before, several times in fact, but they just patiently explained things and didn't immediately start trying to cover themselves.
This is just the sort of stupid people have come to expect from phpBB, it seems.
