FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.
---------- Forwarded message ---------- From: Erik Moeller erik@wikimedia.org Date: 3 October 2013 06:56 Subject: [Wikimedia-l] Notification about Wikimedia user account security issue To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
See also: https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
On October 1, 2013, we learned about an implementation error that made private user information (specifically, user email addresses, password hashes, session tokens, and last login timestamp) for approximately 37,000 Wikimedia project users accessible to volunteers with access to the Wikimedia "LabsDB" infrastructure.
LabsDB, launched in May 2013, is designed to give volunteers the ability to write tools and generate reports that make use of data from our databases in real-time. This supports bottom-up innovation by the Wikimedia community. As part of this process, private data is automatically redacted before volunteers are given access to the data. Unfortunately, for some of Wikimedia’s wikis[1], the database triggers used to redact private data failed to take effect due to a schema incompatibility, and LabsDB users had access to private user data for some user accounts in these specific wiki databases. As of October 1, 228 users have access to LabsDB, and the window of availability of this data was May 29, 2013 to October 1, 2013.
This issue was discovered and reported by a trusted volunteer, and access to the data in question was revoked within 15 minutes of the report. We have no evidence to suggest that the private data in question was exported in bulk or used for malicious purposes, but we cannot definitively exclude the possibility. As a precautionary measure, we have invalidated all affected user sessions, and are requiring affected users to change their password on their next login.
We have also sent an email notification to affected users with a confirmed email address.
We regret this mistake. LabsDB is still a new part of our infrastructure, and we will fully audit the redaction process, so as to minimize any risk of a future mistake of this nature.
Sincerely, Erik Moeller Vice President of Engineering & Product Development
Contact information
Should you have any questions, please contact us via email to:
accountsecurity@wikimedia.org
You can also reach the Wikimedia Foundation at:
Wikimedia Foundation, Inc. 149 New Montgomery Street Floor 6 San Francisco, CA 94105 United States Phone: +1-415-839-6885 Fax: +1-415-882-0495
[1] List of affected databases: aswikisource bewikisource dewikivoyage elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki wikimania2014wiki
-- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation
_______________________________________________ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Yeah, I already gotten my mail... great... :(
*~Orsolya*
2013/10/3 Katie Chan katie.chan@wikimedia.org.uk
FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.
---------- Forwarded message ---------- From: Erik Moeller erik@wikimedia.org Date: 3 October 2013 06:56 Subject: [Wikimedia-l] Notification about Wikimedia user account security issue To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
See also: https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
On October 1, 2013, we learned about an implementation error that made private user information (specifically, user email addresses, password hashes, session tokens, and last login timestamp) for approximately 37,000 Wikimedia project users accessible to volunteers with access to the Wikimedia "LabsDB" infrastructure.
LabsDB, launched in May 2013, is designed to give volunteers the ability to write tools and generate reports that make use of data from our databases in real-time. This supports bottom-up innovation by the Wikimedia community. As part of this process, private data is automatically redacted before volunteers are given access to the data. Unfortunately, for some of Wikimedia’s wikis[1], the database triggers used to redact private data failed to take effect due to a schema incompatibility, and LabsDB users had access to private user data for some user accounts in these specific wiki databases. As of October 1, 228 users have access to LabsDB, and the window of availability of this data was May 29, 2013 to October 1, 2013.
This issue was discovered and reported by a trusted volunteer, and access to the data in question was revoked within 15 minutes of the report. We have no evidence to suggest that the private data in question was exported in bulk or used for malicious purposes, but we cannot definitively exclude the possibility. As a precautionary measure, we have invalidated all affected user sessions, and are requiring affected users to change their password on their next login.
We have also sent an email notification to affected users with a confirmed email address.
We regret this mistake. LabsDB is still a new part of our infrastructure, and we will fully audit the redaction process, so as to minimize any risk of a future mistake of this nature.
Sincerely, Erik Moeller Vice President of Engineering & Product Development
Contact information
Should you have any questions, please contact us via email to:
accountsecurity@wikimedia.org
You can also reach the Wikimedia Foundation at:
Wikimedia Foundation, Inc. 149 New Montgomery Street Floor 6 San Francisco, CA 94105 United States Phone: +1-415-839-6885 Fax: +1-415-882-0495
[1] List of affected databases: aswikisource bewikisource dewikivoyage elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki wikimania2014wiki
-- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- Katie Chan Volunteer Support Organiser Wikimedia UK +44 (0) 20 7065 0990 +44 (0) 7885 980 534
Wikimedia UK is a Charitable Company registered in England and Wales. Registered Company No. 6741827. Registered Charity No.1144513. Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
While I am upset about this news, the security breach could have been much worse. It's worth keeping in mind that access to Labs is restricted to only established members of the community and developers, and the list of people with access to Labs is public. I would have been much more worried if this leak happened somewhere else that was less controlled.
Sven On Oct 3, 2013 5:37 AM, "Orsolya Gyenes" gyenes.orsolya@wiki.media.hu wrote:
Yeah, I already gotten my mail... great... :(
*~Orsolya*
2013/10/3 Katie Chan katie.chan@wikimedia.org.uk
FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.
---------- Forwarded message ---------- From: Erik Moeller erik@wikimedia.org Date: 3 October 2013 06:56 Subject: [Wikimedia-l] Notification about Wikimedia user account security issue To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
See also: https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
On October 1, 2013, we learned about an implementation error that made private user information (specifically, user email addresses, password hashes, session tokens, and last login timestamp) for approximately 37,000 Wikimedia project users accessible to volunteers with access to the Wikimedia "LabsDB" infrastructure.
LabsDB, launched in May 2013, is designed to give volunteers the ability to write tools and generate reports that make use of data from our databases in real-time. This supports bottom-up innovation by the Wikimedia community. As part of this process, private data is automatically redacted before volunteers are given access to the data. Unfortunately, for some of Wikimedia’s wikis[1], the database triggers used to redact private data failed to take effect due to a schema incompatibility, and LabsDB users had access to private user data for some user accounts in these specific wiki databases. As of October 1, 228 users have access to LabsDB, and the window of availability of this data was May 29, 2013 to October 1, 2013.
This issue was discovered and reported by a trusted volunteer, and access to the data in question was revoked within 15 minutes of the report. We have no evidence to suggest that the private data in question was exported in bulk or used for malicious purposes, but we cannot definitively exclude the possibility. As a precautionary measure, we have invalidated all affected user sessions, and are requiring affected users to change their password on their next login.
We have also sent an email notification to affected users with a confirmed email address.
We regret this mistake. LabsDB is still a new part of our infrastructure, and we will fully audit the redaction process, so as to minimize any risk of a future mistake of this nature.
Sincerely, Erik Moeller Vice President of Engineering & Product Development
Contact information
Should you have any questions, please contact us via email to:
accountsecurity@wikimedia.org
You can also reach the Wikimedia Foundation at:
Wikimedia Foundation, Inc. 149 New Montgomery Street Floor 6 San Francisco, CA 94105 United States Phone: +1-415-839-6885 Fax: +1-415-882-0495
[1] List of affected databases: aswikisource bewikisource dewikivoyage elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki wikimania2014wiki
-- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- Katie Chan Volunteer Support Organiser Wikimedia UK +44 (0) 20 7065 0990 +44 (0) 7885 980 534
Wikimedia UK is a Charitable Company registered in England and Wales. Registered Company No. 6741827. Registered Charity No.1144513. Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
I agree with others that the risk is very, very small; nonetheless, it is not non-existent.
Risker/Anne
On 3 October 2013 05:36, Orsolya Gyenes gyenes.orsolya@wiki.media.huwrote:
Yeah, I already gotten my mail... great... :(
*~Orsolya*
2013/10/3 Katie Chan katie.chan@wikimedia.org.uk
FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.
---------- Forwarded message ---------- From: Erik Moeller erik@wikimedia.org Date: 3 October 2013 06:56 Subject: [Wikimedia-l] Notification about Wikimedia user account security issue To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
See also: https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
On October 1, 2013, we learned about an implementation error that made private user information (specifically, user email addresses, password hashes, session tokens, and last login timestamp) for approximately 37,000 Wikimedia project users accessible to volunteers with access to the Wikimedia "LabsDB" infrastructure.
LabsDB, launched in May 2013, is designed to give volunteers the ability to write tools and generate reports that make use of data from our databases in real-time. This supports bottom-up innovation by the Wikimedia community. As part of this process, private data is automatically redacted before volunteers are given access to the data. Unfortunately, for some of Wikimedia’s wikis[1], the database triggers used to redact private data failed to take effect due to a schema incompatibility, and LabsDB users had access to private user data for some user accounts in these specific wiki databases. As of October 1, 228 users have access to LabsDB, and the window of availability of this data was May 29, 2013 to October 1, 2013.
This issue was discovered and reported by a trusted volunteer, and access to the data in question was revoked within 15 minutes of the report. We have no evidence to suggest that the private data in question was exported in bulk or used for malicious purposes, but we cannot definitively exclude the possibility. As a precautionary measure, we have invalidated all affected user sessions, and are requiring affected users to change their password on their next login.
We have also sent an email notification to affected users with a confirmed email address.
We regret this mistake. LabsDB is still a new part of our infrastructure, and we will fully audit the redaction process, so as to minimize any risk of a future mistake of this nature.
Sincerely, Erik Moeller Vice President of Engineering & Product Development
Contact information
Should you have any questions, please contact us via email to:
accountsecurity@wikimedia.org
You can also reach the Wikimedia Foundation at:
Wikimedia Foundation, Inc. 149 New Montgomery Street Floor 6 San Francisco, CA 94105 United States Phone: +1-415-839-6885 Fax: +1-415-882-0495
[1] List of affected databases: aswikisource bewikisource dewikivoyage elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki wikimania2014wiki
-- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- Katie Chan Volunteer Support Organiser Wikimedia UK +44 (0) 20 7065 0990 +44 (0) 7885 980 534
Wikimedia UK is a Charitable Company registered in England and Wales. Registered Company No. 6741827. Registered Charity No.1144513. Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
They look like they're linked into CentralAuth/global accounts/SUL to me…
Thanks, Mike
On 3 Oct 2013, at 18:06, Risker risker.wp@gmail.com wrote:
Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
I agree with others that the risk is very, very small; nonetheless, it is not non-existent.
Risker/Anne
On 3 October 2013 05:36, Orsolya Gyenes gyenes.orsolya@wiki.media.hu wrote: Yeah, I already gotten my mail... great... :(
~Orsolya
2013/10/3 Katie Chan katie.chan@wikimedia.org.uk FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.
---------- Forwarded message ---------- From: Erik Moeller erik@wikimedia.org Date: 3 October 2013 06:56 Subject: [Wikimedia-l] Notification about Wikimedia user account security issue To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
See also: https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
On October 1, 2013, we learned about an implementation error that made private user information (specifically, user email addresses, password hashes, session tokens, and last login timestamp) for approximately 37,000 Wikimedia project users accessible to volunteers with access to the Wikimedia "LabsDB" infrastructure.
LabsDB, launched in May 2013, is designed to give volunteers the ability to write tools and generate reports that make use of data from our databases in real-time. This supports bottom-up innovation by the Wikimedia community. As part of this process, private data is automatically redacted before volunteers are given access to the data. Unfortunately, for some of Wikimedia’s wikis[1], the database triggers used to redact private data failed to take effect due to a schema incompatibility, and LabsDB users had access to private user data for some user accounts in these specific wiki databases. As of October 1, 228 users have access to LabsDB, and the window of availability of this data was May 29, 2013 to October 1, 2013.
This issue was discovered and reported by a trusted volunteer, and access to the data in question was revoked within 15 minutes of the report. We have no evidence to suggest that the private data in question was exported in bulk or used for malicious purposes, but we cannot definitively exclude the possibility. As a precautionary measure, we have invalidated all affected user sessions, and are requiring affected users to change their password on their next login.
We have also sent an email notification to affected users with a confirmed email address.
We regret this mistake. LabsDB is still a new part of our infrastructure, and we will fully audit the redaction process, so as to minimize any risk of a future mistake of this nature.
Sincerely, Erik Moeller Vice President of Engineering & Product Development
Contact information
Should you have any questions, please contact us via email to:
accountsecurity@wikimedia.org
You can also reach the Wikimedia Foundation at:
Wikimedia Foundation, Inc. 149 New Montgomery Street Floor 6 San Francisco, CA 94105 United States Phone: +1-415-839-6885 Fax: +1-415-882-0495
[1] List of affected databases: aswikisource bewikisource dewikivoyage elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki wikimania2014wiki
-- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- Katie Chan Volunteer Support Organiser Wikimedia UK +44 (0) 20 7065 0990 +44 (0) 7885 980 534
Wikimedia UK is a Charitable Company registered in England and Wales. Registered Company No. 6741827. Registered Charity No.1144513. Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
On Thu, Oct 3, 2013 at 1:06 PM, Risker risker.wp@gmail.com wrote:
Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
I agree with others that the risk is very, very small; nonetheless, it is not non-existent.
Risker/Anne
It sounds like they've already scrambled the passwords as part of requiring the password reset procedure. Even if they haven't, Erik's description of precautionary measures should mean that access to your Wikimania (etc) accounts is disabled prior to a password reset using your e-mail, so there's no real risk that someone will get into your account (unless they can also get into your e-mail).
But normally notices of compromised passwords include standard language suggesting that users change their passwords for any other login where they've used similar information, in case the combination of name and password is sold or someone attempts to use their knowledge of you to access your information on other sites. Perhaps that is part of the e-mail notification the WMF sent; if not, it's good practice.
~Nathan
On Thu, Oct 3, 2013 at 1:06 PM, Risker risker.wp@gmail.com wrote:
Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
Actually, changing your SUL password should change your password on all your attached Wikimedia wikis accounts. This includes all public wikis, but does not include private or fishbowl ones. So, for example, if you also used the same password on wikimaniateamwiki or foundationwiki, you will need to change it separately there.
On Thu, Oct 3, 2013 at 1:18 PM, Nathan nawrich@gmail.com wrote:
But normally notices of compromised passwords include standard language suggesting that users change their passwords for any other login where they've used similar information, in case the combination of name and password is sold or someone attempts to use their knowledge of you to access your information on other sites. Perhaps that is part of the e-mail notification the WMF sent; if not, it's good practice.
This too. If you used the same password combination elsewhere (you shouldn't, but people often do), then you should change those too.
On Thu, Oct 3, 2013 at 10:06 AM, Risker risker.wp@gmail.com wrote:
Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part of SUL, so most users should use their CentralAuth account to login. They are slightly odd in that we don't give you a cookie for those sites when you initially login on another wiki, but with SUL2, you *should* get logged in when you visit the site.
However, since SUL2 is relatively new, and you wouldn't get automatically logged in when visiting the site with the original SUL, I'm guessing many users visited the wikimania sites for the first time, logged in with their centralauth username and password, and continued on their way, which is one of the conditions where the local wiki stores the password hash used to initially create the account. So there is probably a higher number of users here who were notified, than on some of the other wikis.
I agree with others that the risk is very, very small; nonetheless, it is not non-existent.
Totally agree.
Risker/Anne
What does SUL2 mean? It doesn't seem to be documented at https://meta.wikimedia.org/wiki/SUL …
Thanks, Mike
On 3 Oct 2013, at 21:43, Chris Steipp csteipp@wikimedia.org wrote:
On Thu, Oct 3, 2013 at 10:06 AM, Risker risker.wp@gmail.com wrote: Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part of SUL, so most users should use their CentralAuth account to login. They are slightly odd in that we don't give you a cookie for those sites when you initially login on another wiki, but with SUL2, you *should* get logged in when you visit the site.
However, since SUL2 is relatively new, and you wouldn't get automatically logged in when visiting the site with the original SUL, I'm guessing many users visited the wikimania sites for the first time, logged in with their centralauth username and password, and continued on their way, which is one of the conditions where the local wiki stores the password hash used to initially create the account. So there is probably a higher number of users here who were notified, than on some of the other wikis.
I agree with others that the risk is very, very small; nonetheless, it is not non-existent.
Totally agree.
Risker/Anne
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
On 3 October 2013 16:43, Chris Steipp csteipp@wikimedia.org wrote:
On Thu, Oct 3, 2013 at 10:06 AM, Risker risker.wp@gmail.com wrote:
Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part of SUL, so most users should use their CentralAuth account to login. They are slightly odd in that we don't give you a cookie for those sites when you initially login on another wiki, but with SUL2, you *should* get logged in when you visit the site.
However, since SUL2 is relatively new, and you wouldn't get automatically logged in when visiting the site with the original SUL, I'm guessing many users visited the wikimania sites for the first time, logged in with their centralauth username and password, and continued on their way, which is one of the conditions where the local wiki stores the password hash used to initially create the account. So there is probably a higher number of users here who were notified, than on some of the other wikis.
That's odd, Chris - I distinctly remember that I could not log in to either 2013 or 2014 Wikimania wikis but was required to create a new account. Perhaps that was before SUL2?
Risker/Anne
On Thu, Oct 3, 2013 at 2:12 PM, Risker risker.wp@gmail.com wrote:
On 3 October 2013 16:43, Chris Steipp csteipp@wikimedia.org wrote:
On Thu, Oct 3, 2013 at 10:06 AM, Risker risker.wp@gmail.com wrote:
Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.
wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part of SUL, so most users should use their CentralAuth account to login. They are slightly odd in that we don't give you a cookie for those sites when you initially login on another wiki, but with SUL2, you *should* get logged in when you visit the site.
However, since SUL2 is relatively new, and you wouldn't get automatically logged in when visiting the site with the original SUL, I'm guessing many users visited the wikimania sites for the first time, logged in with their centralauth username and password, and continued on their way, which is one of the conditions where the local wiki stores the password hash used to initially create the account. So there is probably a higher number of users here who were notified, than on some of the other wikis.
That's odd, Chris - I distinctly remember that I could not log in to either 2013 or 2014 Wikimania wikis but was required to create a new account. Perhaps that was before SUL2?
Most likely.. we just rolled out SUL2 [1] in July, so most users probably had the same experience you did when using the 2013 site. Hopefully for 2014, everything will just work for most users.
Risker/Anne
Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l
[1] - SUL2: Updates to how CentralAuth logs users in across projects, part of https://www.mediawiki.org/wiki/Auth_systems project
wikimania-l@lists.wikimedia.org