In addition to the suggestions from Tim:
(0) Consider testing your password strength with a tool like http://www.testyourpassword.com/; be sure that the tool you use does not send your chosen password over the Internet and instead tests it locally.
(1) If you find it difficult to remember strong passwords then consider using a password manager https://en.wikipedia.org/wiki/Password_manager.
(2) As a variation on the suggestions above, please *do not* use the same password, or a similar password, for your email account that you use for your Wikimedia password. This applies both to WMF email accounts and community email accounts.
(3) Also consider changing, testing, and upgrading your passwords for your bot accounts.
(4) Also consider changing, testing, and upgrading your passwords for your IRC accounts.
Pine
On Wed, Nov 16, 2016 at 1:57 AM, Tim Starling tstarling@wikimedia.org wrote:
Since Friday, we've had a slow but steady stream of admin account compromises on WMF projects. The hacker group OurMine has taken credit for these compromises.
We're fairly sure now that their mode of operation involves searching for target admins in previous user/password dumps published by other hackers, such as the 2013 Adobe hack. They're not doing an online brute force attack against WMF. For each target, they try one or two passwords, and if those don't work, they go on to the next target. Their success rate is maybe 10%.
When they compromise an account, they usually do a main page defacement or similar, get blocked, and then move on to the next target.
Today, they compromised the account of a www.mediawiki.org admin, did a main page defacement there, and then (presumably) used the same password to log in to Gerrit. They took a screenshot, sent it to us, but took no other action.
So, I don't think they are truly malicious -- I think they are doing it for fun, fame, perhaps also for their stated goal of bringing attention to poor password security.
Indications are that they are familiarising themselves with MediaWiki and with our community. They probably plan on continuing to do this for some time.
We're doing what we can to slow them down, but admins and other users with privileged access also need to take some responsibility for the security of their accounts. Specifically:
- If you're an admin, please enable two-factor authentication.
https://meta.wikimedia.org/wiki/H:2FA
- Please change your password, if you haven't already changed it in
the last week. Use a new password that is not used on any other site.
- Please do not share passwords across different WMF services, for
example, between the wikis and Gerrit.
(Cross-posted to wikitech-l and wikimedia-l, please copy/link elsewhere as appropriate.)
-- Tim Starling
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l