Do i realy have to change my password!why?
-original message-
Subject: Wikimania-l Digest, Vol 91, Issue 3
From: wikimania-l-request(a)lists.wikimedia.org
Date: 03/10/2013 21:12
Send Wikimania-l mailing list submissions to
wikimania-l(a)lists.wikimedia.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
or, via email, send a message with subject or body 'help' to
wikimania-l-request(a)lists.wikimedia.org
You can reach the person managing the list at
wikimania-l-owner(a)lists.wikimedia.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wikimania-l digest..."
Today's Topics:
1. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Michael Peel)
2. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Nathan)
3. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Casey Brown)
4. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Chris Steipp)
5. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Michael Peel)
6. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Risker)
----------------------------------------------------------------------
Message: 1
Date: Thu, 3 Oct 2013 18:17:50 +0100
From: Michael Peel <email(a)mikepeel.net>
To: "Wikimania general list \(open subscription\)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID: <4499360F-43E5-4034-8BC2-ECF6F700BF19(a)mikepeel.net>
Content-Type: text/plain; charset=windows-1252
They look like they're linked into CentralAuth/global accounts/SUL to me…
Thanks,
Mike
On 3 Oct 2013, at 18:06, Risker <risker.wp(a)gmail.com> wrote:
Please note that it is especially important to change
your passwords on the Wikimania wikis where you have accounts. These are non-SUL wikis
and changing your SUL password will not effect a change on the Wikimania 2013 and 2014
wikis. Even if you never intend to edit those wikis again, your password and account
could still hypothetically be compromised.
I agree with others that the risk is very, very small; nonetheless, it is not
non-existent.
Risker/Anne
On 3 October 2013 05:36, Orsolya Gyenes <gyenes.orsolya(a)wiki.media.hu> wrote:
Yeah, I already gotten my mail... great... :(
~Orsolya
2013/10/3 Katie Chan <katie.chan(a)wikimedia.org.uk>
FYI, especially since wikimania2013 & wikimania2014 are two of the affected wikis.
---------- Forwarded message ----------
From: Erik Moeller <erik(a)wikimedia.org>
Date: 3 October 2013 06:56
Subject: [Wikimedia-l] Notification about Wikimedia user account security issue
To: Wikimedia Mailing List <wikimedia-l(a)lists.wikimedia.org>
See also:
https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
On October 1, 2013, we learned about an implementation error that made
private user information (specifically, user email addresses, password
hashes, session tokens, and last login timestamp) for approximately
37,000 Wikimedia project users accessible to volunteers with access to
the Wikimedia "LabsDB" infrastructure.
LabsDB, launched in May 2013, is designed to give volunteers the
ability to write tools and generate reports that make use of data from
our databases in real-time. This supports bottom-up innovation by the
Wikimedia community. As part of this process, private data is
automatically redacted before volunteers are given access to the data.
Unfortunately, for some of Wikimedia’s wikis[1], the database triggers
used to redact private data failed to take effect due to a schema
incompatibility, and LabsDB users had access to private user data for
some user accounts in these specific wiki databases. As of October 1,
228 users have access to LabsDB, and the window of availability of
this data was May 29, 2013 to October 1, 2013.
This issue was discovered and reported by a trusted volunteer, and
access to the data in question was revoked within 15 minutes of the
report. We have no evidence to suggest that the private data in
question was exported in bulk or used for malicious purposes, but we
cannot definitively exclude the possibility. As a precautionary
measure, we have invalidated all affected user sessions, and are
requiring affected users to change their password on their next login.
We have also sent an email notification to affected users with a
confirmed email address.
We regret this mistake. LabsDB is still a new part of our
infrastructure, and we will fully audit the redaction process, so as
to minimize any risk of a future mistake of this nature.
Sincerely,
Erik Moeller
Vice President of Engineering & Product Development
Contact information
Should you have any questions, please contact us via email to:
accountsecurity(a)wikimedia.org
You can also reach the Wikimedia Foundation at:
Wikimedia Foundation, Inc.
149 New Montgomery Street
Floor 6
San Francisco, CA 94105
United States
Phone: +1-415-839-6885
Fax: +1-415-882-0495
[1] List of affected databases: aswikisource bewikisource dewikivoyage
elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource
hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki
nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage
sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki
ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki
wikimania2014wiki
--
Erik Möller
VP of Engineering and Product Development, Wikimedia Foundation
_______________________________________________
Wikimedia-l mailing list
Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
--
Katie Chan
Volunteer Support Organiser
Wikimedia UK
+44 (0) 20 7065 0990
+44 (0) 7885 980 534
Wikimedia UK is a Charitable Company registered in England and Wales.
Registered Company No. 6741827. Registered Charity No.1144513.
Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT.
United Kingdom.
Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are
run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia
nor responsibility for its contents.
_______________________________________________
Wikimania-l mailing list
Wikimania-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
_______________________________________________
Wikimania-l mailing list
Wikimania-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
_______________________________________________
Wikimania-l mailing list
Wikimania-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
------------------------------
Message: 2
Date: Thu, 3 Oct 2013 13:18:12 -0400
From: Nathan <nawrich(a)gmail.com>
To: "Wikimania general list (open subscription)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<CALKX9dQcGQ1cKKGqBcpBhEMgHd0och-kYCGMDe13+sHOkLo=TQ(a)mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Thu, Oct 3, 2013 at 1:06 PM, Risker <risker.wp(a)gmail.com> wrote:
Please note that it is especially important to change
your passwords on the
Wikimania wikis where you have accounts. These are non-SUL wikis and
changing your SUL password will not effect a change on the Wikimania 2013
and 2014 wikis. Even if you never intend to edit those wikis again, your
password and account could still hypothetically be compromised.
I agree with others that the risk is very, very small; nonetheless, it is
not non-existent.
Risker/Anne
It sounds like they've already scrambled the passwords as part of
requiring the password reset procedure. Even if they haven't, Erik's
description of precautionary measures should mean that access to your
Wikimania (etc) accounts is disabled prior to a password reset using
your e-mail, so there's no real risk that someone will get into your
account (unless they can also get into your e-mail).
But normally notices of compromised passwords include standard
language suggesting that users change their passwords for any other
login where they've used similar information, in case the combination
of name and password is sold or someone attempts to use their
knowledge of you to access your information on other sites. Perhaps
that is part of the e-mail notification the WMF sent; if not, it's
good practice.
~Nathan
------------------------------
Message: 3
Date: Thu, 3 Oct 2013 14:43:12 -0400
From: Casey Brown <lists(a)caseybrown.org>
To: "Wikimania general list (open subscription)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<CA+txiSvNqkRE6m8fzxZOjsqS2cCeJUZQctpGwaUi-f4LxyeD+w(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Oct 3, 2013 at 1:06 PM, Risker <risker.wp(a)gmail.com> wrote:
Please note that it is especially important to change
your passwords on the
Wikimania wikis where you have accounts. These are non-SUL wikis and
changing your SUL password will not effect a change on the Wikimania 2013
and 2014 wikis. Even if you never intend to edit those wikis again, your
password and account could still hypothetically be compromised.
Actually, changing your SUL password should change your password on
all your attached Wikimedia wikis accounts. This includes all public
wikis, but does not include private or fishbowl ones. So, for example,
if you also used the same password on wikimaniateamwiki or
foundationwiki, you will need to change it separately there.
On Thu, Oct 3, 2013 at 1:18 PM, Nathan <nawrich(a)gmail.com> wrote:
But normally notices of compromised passwords include
standard
language suggesting that users change their passwords for any other
login where they've used similar information, in case the combination
of name and password is sold or someone attempts to use their
knowledge of you to access your information on other sites. Perhaps
that is part of the e-mail notification the WMF sent; if not, it's
good practice.
This too. If you used the same password combination elsewhere (you
shouldn't, but people often do), then you should change those too.
--
Casey Brown (Cbrown1023)
caseybrown.org
------------------------------
Message: 4
Date: Thu, 3 Oct 2013 13:43:46 -0700
From: Chris Steipp <csteipp(a)wikimedia.org>
To: "Wikimania general list (open subscription)"
<wikimania-l(a)lists.wikimedia.org>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<CAKcmtDzv5RComj0aQhE1sc7x_peczy99sQsYrA7MNP_qSdKEfA(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Thu, Oct 3, 2013 at 10:06 AM, Risker <risker.wp(a)gmail.com> wrote:
Please note that it is especially important to change
your passwords on
the Wikimania wikis where you have accounts. These are non-SUL wikis and
changing your SUL password will not effect a change on the Wikimania 2013
and 2014 wikis. Even if you never intend to edit those wikis again, your
password and account could still hypothetically be compromised.
wikimania2013.wikimedia.org and
wikimania2014.wikimedia.org are both part
of SUL, so most users should use their CentralAuth account to login. They
are slightly odd in that we don't give you a cookie for those sites when
you initially login on another wiki, but with SUL2, you *should* get logged
in when you visit the site.
However, since SUL2 is relatively new, and you wouldn't get automatically
logged in when visiting the site with the original SUL, I'm guessing many
users visited the wikimania sites for the first time, logged in with their
centralauth username and password, and continued on their way, which is one
of the conditions where the local wiki stores the password hash used to
initially create the account. So there is probably a higher number of users
here who were notified, than on some of the other wikis.
I agree with others that the risk is very, very small; nonetheless, it is
not non-existent.
Totally agree.
Risker/Anne