On Oct 11, 2011, at 12:13 PM, Jeremy White wrote: > What we know at this point that someone was able to obtain unauthorized > access to the phpmyadmin utility. We do not exactly how they obtained > access; it was either by compromising an admins credentials, or by > exploiting an unpatched vulnerability in phpmyadmin. Insecure HTTP access? > Unfortunately, the attackers were able to download the full login > database for both the appdb and bugzilla. This means that they have all > of those emails, as well as the passwords. The passwords are stored > encrypted, but with enough effort and depending on the quality of the > password, they can be cracked. > > This, I'm afraid, is a serious threat; it means that anyone who uses the > same email / password on other systems is now vulnerable to a malicious > attacker using that information to access their account. Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?) > We are going to be resetting every password and sending a private email > to every affected user. You might also consider expiring old login cookies. > This is again another reminder to never use a common username / password > pair. This web site provides further advice as well: > http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/ Josh
