Do i realy have to change my password!why?

-original message- Subject: Wikimania-l Digest, Vol 91, Issue 3 From: wikimania-l-request@lists.wikimedia.org Date: 03/10/2013 21:12

Send Wikimania-l mailing list submissions to wikimania-l@lists.wikimedia.org

To subscribe or unsubscribe via the World Wide Web, visit https://lists.wikimedia.org/mailman/listinfo/wikimania-l or, via email, send a message with subject or body 'help' to wikimania-l-request@lists.wikimedia.org

You can reach the person managing the list at wikimania-l-owner@lists.wikimedia.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Wikimania-l digest..."

Today's Topics:

1. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue (Michael Peel) 2. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue (Nathan) 3. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue (Casey Brown) 4. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue (Chris Steipp) 5. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue (Michael Peel) 6. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue (Risker)

----------------------------------------------------------------------

Message: 1 Date: Thu, 3 Oct 2013 18:17:50 +0100 From: Michael Peel email@mikepeel.net To: "Wikimania general list (open subscription)" wikimania-l@lists.wikimedia.org Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue Message-ID: 4499360F-43E5-4034-8BC2-ECF6F700BF19@mikepeel.net Content-Type: text/plain; charset=windows-1252

They look like they're linked into CentralAuth/global accounts/SUL to me…

Thanks, Mike

On 3 Oct 2013, at 18:06, Risker risker.wp@gmail.com wrote:

Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.

I agree with others that the risk is very, very small; nonetheless, it is not non-existent.

Risker/Anne

On 3 October 2013 05:36, Orsolya Gyenes gyenes.orsolya@wiki.media.hu wrote: Yeah, I already gotten my mail... great... :(

~Orsolya

2013/10/3 Katie Chan katie.chan@wikimedia.org.uk FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.

---------- Forwarded message ---------- From: Erik Moeller erik@wikimedia.org Date: 3 October 2013 06:56 Subject: [Wikimedia-l] Notification about Wikimedia user account security issue To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org

See also: https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue

On October 1, 2013, we learned about an implementation error that made private user information (specifically, user email addresses, password hashes, session tokens, and last login timestamp) for approximately 37,000 Wikimedia project users accessible to volunteers with access to the Wikimedia "LabsDB" infrastructure.

LabsDB, launched in May 2013, is designed to give volunteers the ability to write tools and generate reports that make use of data from our databases in real-time. This supports bottom-up innovation by the Wikimedia community. As part of this process, private data is automatically redacted before volunteers are given access to the data. Unfortunately, for some of Wikimedia’s wikis[1], the database triggers used to redact private data failed to take effect due to a schema incompatibility, and LabsDB users had access to private user data for some user accounts in these specific wiki databases. As of October 1, 228 users have access to LabsDB, and the window of availability of this data was May 29, 2013 to October 1, 2013.

This issue was discovered and reported by a trusted volunteer, and access to the data in question was revoked within 15 minutes of the report. We have no evidence to suggest that the private data in question was exported in bulk or used for malicious purposes, but we cannot definitively exclude the possibility. As a precautionary measure, we have invalidated all affected user sessions, and are requiring affected users to change their password on their next login.

We have also sent an email notification to affected users with a confirmed email address.

We regret this mistake. LabsDB is still a new part of our infrastructure, and we will fully audit the redaction process, so as to minimize any risk of a future mistake of this nature.

Sincerely, Erik Moeller Vice President of Engineering & Product Development

Contact information

Should you have any questions, please contact us via email to:

accountsecurity@wikimedia.org

You can also reach the Wikimedia Foundation at:

Wikimedia Foundation, Inc. 149 New Montgomery Street Floor 6 San Francisco, CA 94105 United States Phone: +1-415-839-6885 Fax: +1-415-882-0495

[1] List of affected databases: aswikisource bewikisource dewikivoyage elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki wikimania2014wiki

-- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation

---

Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe

-- Katie Chan Volunteer Support Organiser Wikimedia UK +44 (0) 20 7065 0990 +44 (0) 7885 980 534

Wikimedia UK is a Charitable Company registered in England and Wales. Registered Company No. 6741827. Registered Charity No.1144513. Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).

Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.

---

Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l

---

Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l

---

Wikimania-l mailing list Wikimania-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimania-l

------------------------------

Message: 2 Date: Thu, 3 Oct 2013 13:18:12 -0400 From: Nathan nawrich@gmail.com To: "Wikimania general list (open subscription)" wikimania-l@lists.wikimedia.org Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue Message-ID: CALKX9dQcGQ1cKKGqBcpBhEMgHd0och-kYCGMDe13+sHOkLo=TQ@mail.gmail.com Content-Type: text/plain; charset=UTF-8

On Thu, Oct 3, 2013 at 1:06 PM, Risker risker.wp@gmail.com wrote:

Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.

I agree with others that the risk is very, very small; nonetheless, it is not non-existent.

Risker/Anne

It sounds like they've already scrambled the passwords as part of requiring the password reset procedure. Even if they haven't, Erik's description of precautionary measures should mean that access to your Wikimania (etc) accounts is disabled prior to a password reset using your e-mail, so there's no real risk that someone will get into your account (unless they can also get into your e-mail).

But normally notices of compromised passwords include standard language suggesting that users change their passwords for any other login where they've used similar information, in case the combination of name and password is sold or someone attempts to use their knowledge of you to access your information on other sites. Perhaps that is part of the e-mail notification the WMF sent; if not, it's good practice.

~Nathan

------------------------------

Message: 3 Date: Thu, 3 Oct 2013 14:43:12 -0400 From: Casey Brown lists@caseybrown.org To: "Wikimania general list (open subscription)" wikimania-l@lists.wikimedia.org Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about Wikimedia user account security issue Message-ID: CA+txiSvNqkRE6m8fzxZOjsqS2cCeJUZQctpGwaUi-f4LxyeD+w@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1

On Thu, Oct 3, 2013 at 1:06 PM, Risker risker.wp@gmail.com wrote:

Please note that it is especially important to change your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis and changing your SUL password will not effect a change on the Wikimania 2013 and 2014 wikis. Even if you never intend to edit those wikis again, your password and account could still hypothetically be compromised.

Actually, changing your SUL password should change your password on all your attached Wikimedia wikis accounts. This includes all public wikis, but does not include private or fishbowl ones. So, for example, if you also used the same password on wikimaniateamwiki or foundationwiki, you will need to change it separately there.

On Thu, Oct 3, 2013 at 1:18 PM, Nathan nawrich@gmail.com wrote:

But normally notices of compromised passwords include standard language suggesting that users change their passwords for any other login where they've used similar information, in case the combination of name and password is sold or someone attempts to use their knowledge of you to access your information on other sites. Perhaps that is part of the e-mail notification the WMF sent; if not, it's good practice.

This too. If you used the same password combination elsewhere (you shouldn't, but people often do), then you should change those too.