Hi David,
Thanks for the information.
Some of us use the same 2FA for Phabricator as for on wiki accounts. Should
the 2FA reset apply to all Wikimedia 2FAs that could be used for
Phabricator, or only those that actually have been used for Phabricator?
Is there a public ticket that people can watch for updates and where public
questions may be asked?
Pine
(
https://meta.wikimedia.org/wiki/User:Pine )
On Thu, Jan 16, 2020, 13:25 David Sharpe <dsharpe(a)wikimedia.org> wrote:
Hello,
On 14 January 2020, staff at the Wikimedia Foundation discovered that a
data file exported from the Wikimedia Phabricator installation, our
engineering task and ticket tracking system, had been made publicly
available. The file was leaked accidentally; there was no intrusion. We
have no evidence that it was ever viewed or accessed. The Foundation's
Security team immediately began investigating the incident and removing the
related files. The data dump included limited non-public information such
as private tickets, login access tokens, and the second factor of the
two-factor authentication keys for Phabricator accounts. Passwords and
full login information for Phabricator were not affected -- that
information is stored in another, unaffected system.
The Security team has investigated and assesses that there is no known
impact from this incident. However, out of an abundance of caution, we are
resetting all Two-Factor Authentication keys for Phabricator and
invalidating the exposed login access tokens. Additionally, we continue to
encourage people to engage in online security best practices, such as
keeping your software updated and resetting your passwords regularly.
The Foundation will continue to investigate this incident and take steps
to prevent it from occurring again in the future. In the meantime,
Phabricator is online and functioning normally. We regret any inconvenience
this may have caused and will provide updates if we learn of any further
impact.
Respectfully,
David Sharpe
Senior Information Security Analyst
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l