2011/10/11 Jerome Leclanche <adys.wh@xxxxxxxxx>: > Thank you so much for letting the users know so early on. > > Bugzilla/forum passwords should probably be reset as well for appdb > users, there's no doubt most people share passwords with the appdb. > > On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White <jwhite@xxxxxxxxxxxxxxx> wrote: >> Hi, >> >> I am sad to say that there was a compromise of the WineHQ database system. >> >> What we know at this point that someone was able to obtain unauthorized >> access to the phpmyadmin utility. We do not exactly how they obtained >> access; it was either by compromising an admins credentials, or by >> exploiting an unpatched vulnerability in phpmyadmin. >> >> We had reluctantly provided access to phpmyadmin to the appdb developers >> (it is a very handy tool, and something they very much wanted). But it >> is a prime target for hackers, and apparently our best efforts at >> obscuring it and patching it were not sufficient. >> >> So we have removed all access to phpmyadmin from the outside world. >> >> We do not believe the attackers obtained any other form of access to the >> system. >> >> On the one hand, we saw no evidence of harm to any database. We saw no >> evidence of any attempt to change the database (and candidly, using the >> real appdb or bugzilla is the easy way to change the database). >> >> Unfortunately, the attackers were able to download the full login >> database for both the appdb and bugzilla. This means that they have all >> of those emails, as well as the passwords. The passwords are stored >> encrypted, but with enough effort and depending on the quality of the >> password, they can be cracked. >> >> This, I'm afraid, is a serious threat; it means that anyone who uses the >> same email / password on other systems is now vulnerable to a malicious >> attacker using that information to access their account. >> >> We are going to be resetting every password and sending a private email >> to every affected user. >> >> This is again another reminder to never use a common username / password >> pair. This web site provides further advice as well: >> http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/ >> >> I am very sad to have to report this. We have so many challenges in our >> world today that this is a particularly painful form of salt for our wounds. >> >> However, I think it is urgent for everyone to know what happened. >> >> Cheers, >> >> Jeremy >> >> >> > > > Thanks for the early notice ! Testbot passwords should also be reset as it seems it doesn't allow password reset / change ATM. (At least I wasn't able to find that possibility) -- Nicolas Le Cam
