|No such thing as a small change|
Status of Recent User Information Leakby Co-Rion (Monk)
|on Jul 30, 2009 at 21:01 UTC||Need Help??|
Some time on May 20, 2009, an unused (but still on line) perlmonks server was hacked, and its root password obtained by unknown individuals. The hacker(s) dumped contents from the perlmonks user database on that machine, data which is estimated to be current as of approximately September 2008.
The published material included the passwords, email addresses, and "real" names of all of the members of janitors and Saints in Our Book*. However, the hackers presumably obtained, and could distribute, the user info of all perlmonks users — at least those existing as of last September.
As far as is known, the main perlmonks servers have not been hacked.
* The list of Saints used appears by some indications to be a more recent one, from perhaps mid-April.
What Is Being Done In Response
At approximately 0130 UTC of July 29, an administrator of the perlmonks group on Facebook sent a broadcast message to all members of that group, notifying them of the event and advising them to change their PerlMonks passwords.
At about 1600 UTC of July 29, a notice was posted on the Monastery Gates.
At about 2100 UTC of July 29, PerlMonks administrators sent an email to the email addresses of record of the approximately 580 users whose user info was published, notifying them of the event and advising them to change their PerlMonks passwords.
Unfortunately, not all of the ~580 users whose passwords were published had working emails. In many cases, the gods have attempted to contact those individuals by alternate email addresses or other means. If you think you should have received such an email but have not, please check your spam folder for email from email@example.com.
At some time prior to that, the gods changed the passwords of those users (out of the 580) who had not yet already changed them. (Noted by tye in Re: It's Time for Everyone to Change Passwords! (changed))
Lastly, this post is an official notification and status message to the members and visitors of the PerlMonks web site.
Any changes to the site as a consequence of this event will be announced in Tidings.
Closing the Hole
PerlMonks admins are working with the Pair.com folks (who manage our hardware and connectivity resources) to evaluate and strengthen security on the servers. No information is available at this time as to the status of this effort.
The administrators are planning to implement hashed passwords (allowing more than 8 chars).
What Should You Do?
If you have already changed your password, you are set (at least until the next time someone steals the info from our user database). If you have not, and you are one of the ~580 users whose user info was leaked, your password has been changed for you. Use What's my password? to request an e-mail containing your new, randomly generated password.
All PerlMonks registered users are strongly encouraged to have a current email address in their profile in case further administrative password resets are necessary. Emails can be set/changed by going to your homenode and clicking "Edit your Profile".
Caution: If you used your PerlMonks password on any other service (other sites, email, etc.), you should change those other passwords now — and for, FSM's sake, do NOT reuse passwords! Ever!
If you are unable to log in due to a lost/changed password and email isn't working, you may send a message to the gods via the form at Retrieving a forgotten username or password. Alternatively, you may contact the PerlMonks administrators via email, at firstname.lastname@example.org.
Many thanks must go out to jdporter who collected all this information and wrote it up in a presentable manner.Co-Rion for the gods
PS - The perlmonks maintainers wish to extend a hearty high-five of gratitude to noble monk OverlordQ, who had the integrity and presence of mind to bring the security leak to our attention. Although, we do have to wonder what he was doing reading a hacker e-zine in the first place... ;-)