FYI

---------- Forwarded message ---------- From: Erik Moeller erik@wikimedia.org Date: 2013/10/3 Subject: [Wikimedia-l] Notification about Wikimedia user account security issue To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org

See also: https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue

On October 1, 2013, we learned about an implementation error that made private user information (specifically, user email addresses, password hashes, session tokens, and last login timestamp) for approximately 37,000 Wikimedia project users accessible to volunteers with access to the Wikimedia "LabsDB" infrastructure.

LabsDB, launched in May 2013, is designed to give volunteers the ability to write tools and generate reports that make use of data from our databases in real-time. This supports bottom-up innovation by the Wikimedia community. As part of this process, private data is automatically redacted before volunteers are given access to the data. Unfortunately, for some of Wikimedia’s wikis[1], the database triggers used to redact private data failed to take effect due to a schema incompatibility, and LabsDB users had access to private user data for some user accounts in these specific wiki databases. As of October 1, 228 users have access to LabsDB, and the window of availability of this data was May 29, 2013 to October 1, 2013.

This issue was discovered and reported by a trusted volunteer, and access to the data in question was revoked within 15 minutes of the report. We have no evidence to suggest that the private data in question was exported in bulk or used for malicious purposes, but we cannot definitively exclude the possibility. As a precautionary measure, we have invalidated all affected user sessions, and are requiring affected users to change their password on their next login.

We have also sent an email notification to affected users with a confirmed email address.

We regret this mistake. LabsDB is still a new part of our infrastructure, and we will fully audit the redaction process, so as to minimize any risk of a future mistake of this nature.

Sincerely, Erik Moeller Vice President of Engineering & Product Development

Contact information

Should you have any questions, please contact us via email to:

accountsecurity@wikimedia.org

You can also reach the Wikimedia Foundation at:

Wikimedia Foundation, Inc. 149 New Montgomery Street Floor 6 San Francisco, CA 94105 United States Phone: +1-415-839-6885 Fax: +1-415-882-0495

[1] List of affected databases: aswikisource bewikisource dewikivoyage elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki wikimania2014wiki

-- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation

_______________________________________________ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe