Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

What Happened

Some time on May 20, 2009, an unused (but still on line) perlmonks server was hacked, and its root password obtained by unknown individuals. The hacker(s) dumped contents from the perlmonks user database on that machine, data which is estimated to be current as of approximately September 2008.

The exploit was published in a hacker e-zine published on July 28, and was brought to the attention of PerlMonks administrators later that night.

The published material included the passwords, email addresses, and "real" names of all of the members of janitors and Saints in Our Book*. However, the hackers presumably obtained, and could distribute, the user info of all perlmonks users — at least those existing as of last September.

As far as is known, the main perlmonks servers have not been hacked.

* The list of Saints used appears by some indications to be a more recent one, from perhaps mid-April.

What Is Being Done In Response

Notifying Users

Alert reader OverlordQ brought the leak to the attention of PerlMonks administrators late in the evening of July 28.

At approximately 0130 UTC of July 29, an administrator of the perlmonks group on Facebook sent a broadcast message to all members of that group, notifying them of the event and advising them to change their PerlMonks passwords.

At about 1600 UTC of July 29, a notice was posted on the Monastery Gates.

At about 2100 UTC of July 29, PerlMonks administrators sent an email to the email addresses of record of the approximately 580 users whose user info was published, notifying them of the event and advising them to change their PerlMonks passwords.

Unfortunately, not all of the ~580 users whose passwords were published had working emails. In many cases, the gods have attempted to contact those individuals by alternate email addresses or other means. If you think you should have received such an email but have not, please check your spam folder for email from

At some time prior to that, the gods changed the passwords of those users (out of the 580) who had not yet already changed them. (Noted by tye in Re: It's Time for Everyone to Change Passwords! (changed))

Lastly, this post is an official notification and status message to the members and visitors of the PerlMonks web site.

Any changes to the site as a consequence of this event will be announced in Tidings.

Closing the Hole

PerlMonks admins are working with the folks (who manage our hardware and connectivity resources) to evaluate and strengthen security on the servers. No information is available at this time as to the status of this effort.

Strengthening Authentication

The administrators are planning to implement hashed passwords (allowing more than 8 chars).

What Should You Do?

If you have already changed your password, you are set (at least until the next time someone steals the info from our user database). If you have not, and you are one of the ~580 users whose user info was leaked, your password has been changed for you. Use What's my password? to request an e-mail containing your new, randomly generated password.

All PerlMonks registered users are strongly encouraged to have a current email address in their profile in case further administrative password resets are necessary. Emails can be set/changed by going to your homenode and clicking "Edit your Profile".

Caution: If you used your PerlMonks password on any other service (other sites, email, etc.), you should change those other passwords now — and for, FSM's sake, do NOT reuse passwords! Ever!

If you are unable to log in due to a lost/changed password and email isn't working, you may send a message to the gods via the form at Retrieving a forgotten username or password. Alternatively, you may contact the PerlMonks administrators via email, at

Many thanks must go out to jdporter who collected all this information and wrote it up in a presentable manner.

Co-Rion for the gods

PS - The perlmonks maintainers wish to extend a hearty high-five of gratitude to noble monk OverlordQ, who had the integrity and presence of mind to bring the security leak to our attention. Although, we do have to wonder what he was doing reading a hacker e-zine in the first place... ;-)

In reply to Status of Recent User Information Leak by Co-Rion

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others taking refuge in the Monastery: (5)
    As of 2018-06-23 16:18 GMT
    Find Nodes?
      Voting Booth?
      Should cpanminus be part of the standard Perl release?

      Results (125 votes). Check out past polls.