A known SQL injection vulnerability in Forumrunner, an add-on in the Ubuntu forums that hadn t been patched, led to the attack. Ubuntu has backed up all servers running vBulletin, the forum software package it runs, and wiped them clean and rebuilt them from the ground up The company claims the information was encrypted with a MD5 hashing algorithm and per-user cryptographic salt. Ubuntu is certain the attacker wasn’t able to access any code belonging to the operating system or access any valid user passwords.
Source: https://threatpost.com/two-million-passwords-breached-in-ubuntu-hack/119335/