Hello,
On 14 January 2020, staff at the Wikimedia Foundation discovered that a data file exported from the Wikimedia Phabricator installation, our engineering task and ticket tracking system, had been made publicly available. The file was leaked accidentally; there was no intrusion. We have no evidence that it was ever viewed or accessed. The Foundation's Security team immediately began investigating the incident and removing the related files. The data dump included limited non-public information such as private tickets, login access tokens, and the second factor of the two-factor authentication keys for Phabricator accounts. Passwords and full login information for Phabricator were not affected -- that information is stored in another, unaffected system.
The Security team has investigated and assesses that there is no known impact from this incident. However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens. Additionally, we continue to encourage people to engage in online security best practices, such as keeping your software updated and resetting your passwords regularly.
The Foundation will continue to investigate this incident and take steps to prevent it from occurring again in the future. In the meantime, Phabricator is online and functioning normally. We regret any inconvenience this may have caused and will provide updates if we learn of any further impact.
Respectfully,
David Sharpe Senior Information Security Analyst Wikimedia Foundation
Hi David,
Thanks for the information.
Some of us use the same 2FA for Phabricator as for on wiki accounts. Should the 2FA reset apply to all Wikimedia 2FAs that could be used for Phabricator, or only those that actually have been used for Phabricator?
Is there a public ticket that people can watch for updates and where public questions may be asked?
Pine ( https://meta.wikimedia.org/wiki/User:Pine )
On Thu, Jan 16, 2020, 13:25 David Sharpe dsharpe@wikimedia.org wrote:
Hello,
On 14 January 2020, staff at the Wikimedia Foundation discovered that a data file exported from the Wikimedia Phabricator installation, our engineering task and ticket tracking system, had been made publicly available. The file was leaked accidentally; there was no intrusion. We have no evidence that it was ever viewed or accessed. The Foundation's Security team immediately began investigating the incident and removing the related files. The data dump included limited non-public information such as private tickets, login access tokens, and the second factor of the two-factor authentication keys for Phabricator accounts. Passwords and full login information for Phabricator were not affected -- that information is stored in another, unaffected system.
The Security team has investigated and assesses that there is no known impact from this incident. However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens. Additionally, we continue to encourage people to engage in online security best practices, such as keeping your software updated and resetting your passwords regularly.
The Foundation will continue to investigate this incident and take steps to prevent it from occurring again in the future. In the meantime, Phabricator is online and functioning normally. We regret any inconvenience this may have caused and will provide updates if we learn of any further impact.
Respectfully,
David Sharpe Senior Information Security Analyst Wikimedia Foundation
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Thu, Jan 16, 2020 at 2:50 PM Pine W wiki.pine@gmail.com wrote:
Some of us use the same 2FA for Phabricator as for on wiki accounts. Should the 2FA reset apply to all Wikimedia 2FAs that could be used for Phabricator, or only those that actually have been used for Phabricator?
Hi Pine,
Phabricator has its own 2fa system that is separate from that of your wiki account 2fa.
You may be using the same authenticator application on your phone, but there are separate accounts/codes for your wiki account and for your Phabricator account.
tl;dr: this only affects your Phabricator 2fa token, no other tokens.
Best,
Greg
Hi Greg,
The way that I log into Phab is by using https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging into MediaWiki and authorizing Phab to access my credentials. The MediaWiki login including the 2FA is the same that I use for many other Wikimedia sites.
So, although this 2FA allows logins to Phabricator, it sounds like there is a separate 2FA for some people for Phabricator access, perhaps for people with LDAP logins, and that is the 2FA that is affected. Is this correct?
Pine ( https://meta.wikimedia.org/wiki/User:Pine )
On Thu, Jan 16, 2020, 15:18 Greg Grossmeier greg@wikimedia.org wrote:
On Thu, Jan 16, 2020 at 2:50 PM Pine W wiki.pine@gmail.com wrote:
Some of us use the same 2FA for Phabricator as for on wiki accounts.
Should
the 2FA reset apply to all Wikimedia 2FAs that could be used for Phabricator, or only those that actually have been used for Phabricator?
Hi Pine,
Phabricator has its own 2fa system that is separate from that of your wiki account 2fa.
You may be using the same authenticator application on your phone, but there are separate accounts/codes for your wiki account and for your Phabricator account.
tl;dr: this only affects your Phabricator 2fa token, no other tokens.
Best,
Greg
-- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D | _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Keeping this thread on-list to help others who might be unsure.
Hello Pine,
On Thu, Jan 16, 2020 at 4:23 PM Pine W wiki.pine@gmail.com wrote:
The way that I log into Phab is by using https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging into MediaWiki and authorizing Phab to access my credentials. The MediaWiki login including the 2FA is the same that I use for many other Wikimedia sites.
Correct, you are logging into your MediaWiki account with your 2FA token, then you are logging into Phabricator via OAuth.
None of those logins nor 2FA tokens were affected by this.
So, although this 2FA allows logins to Phabricator, it sounds like there is a separate 2FA for some people for Phabricator access, perhaps for people with LDAP logins, and that is the 2FA that is affected. Is this correct?
Correct. Phabricator has its own 2FA system for people to use.
You can see if you use it via your Account Settings, then clicking on "Multi-Factor Auth". That is the 2FA that is affected in this incident.
Best,
Greg
Do those of us using Phabricator 2FA need to take any action?
On Fri, Jan 17, 2020 at 7:38 AM Greg Grossmeier greg@wikimedia.org wrote:
Keeping this thread on-list to help others who might be unsure.
Hello Pine,
On Thu, Jan 16, 2020 at 4:23 PM Pine W wiki.pine@gmail.com wrote:
The way that I log into Phab is by using https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging into MediaWiki and authorizing Phab to access my credentials. The
MediaWiki
login including the 2FA is the same that I use for many other Wikimedia sites.
Correct, you are logging into your MediaWiki account with your 2FA token, then you are logging into Phabricator via OAuth.
None of those logins nor 2FA tokens were affected by this.
So, although this 2FA allows logins to Phabricator, it sounds like there
is
a separate 2FA for some people for Phabricator access, perhaps for people with LDAP logins, and that is the 2FA that is affected. Is this correct?
Correct. Phabricator has its own 2FA system for people to use.
You can see if you use it via your Account Settings, then clicking on "Multi-Factor Auth". That is the 2FA that is affected in this incident.
Best,
Greg
-- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D | _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hi,
If it is possible to do so, can you notify to the people whose 2FA were reset? I know at least few people who uses 2FA on Phab, and does not read emails from wikitech-l and/or wikimedia-l.
Thanks!
나의 iPhone에서 보냄
- 06:26, David Sharpe dsharpe@wikimedia.org 작성:
However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens.
Can you also confirm we need to take NO action?
RhinosF1
On Fri, 17 Jan 2020 at 11:02, revi lists@revi.email wrote:
Hi,
If it is possible to do so, can you notify to the people whose 2FA were reset? I know at least few people who uses 2FA on Phab, and does not read emails from wikitech-l and/or wikimedia-l.
Thanks!
나의 iPhone에서 보냄
- 06:26, David Sharpe dsharpe@wikimedia.org 작성:
However, out of an abundance of caution, we are resetting all Two-Factor
Authentication keys for Phabricator and invalidating the exposed login access tokens.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
There is a team working on the Phabricator 2FA action item right now. More to come soon…
No action is required for people without 2FA configured within Phabricator.
On Jan 17, 2020, at 10:25 AM, RhinosF1 - rhinosf1@gmail.com wrote:
Can you also confirm we need to take NO action?
RhinosF1
On Fri, 17 Jan 2020 at 11:02, revi lists@revi.email wrote:
Hi,
If it is possible to do so, can you notify to the people whose 2FA were reset? I know at least few people who uses 2FA on Phab, and does not read emails from wikitech-l and/or wikimedia-l.
Thanks!
나의 iPhone에서 보냄
- 06:26, David Sharpe dsharpe@wikimedia.org 작성:
However, out of an abundance of caution, we are resetting all Two-Factor
Authentication keys for Phabricator and invalidating the exposed login access tokens.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
What about those that do?
RhinosF1
On Fri, 17 Jan 2020 at 15:51, David Sharpe dsharpe@wikimedia.org wrote:
There is a team working on the Phabricator 2FA action item right now. More to come soon…
No action is required for people without 2FA configured within Phabricator.
On Jan 17, 2020, at 10:25 AM, RhinosF1 - rhinosf1@gmail.com wrote:
Can you also confirm we need to take NO action?
RhinosF1
On Fri, 17 Jan 2020 at 11:02, revi lists@revi.email wrote:
Hi,
If it is possible to do so, can you notify to the people whose 2FA were reset? I know at least few people who uses 2FA on Phab, and does not
read
emails from wikitech-l and/or wikimedia-l.
Thanks!
나의 iPhone에서 보냄
- 06:26, David Sharpe dsharpe@wikimedia.org 작성:
However, out of an abundance of caution, we are resetting all
Two-Factor
Authentication keys for Phabricator and invalidating the exposed login access tokens.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, 2020-01-17 at 17:21 +0000, RhinosF1 - wrote:
What about those that do?
See the last email. It said: "More to come soon…".
andre
The plan is as follows:
Sometime in the near future, we will be invalidating the sessions of anyone who has an auth factor which was potentially affected. If you were one of the potentially affected users then the next time you log in to Phabricator, you should see a notification directing you to reset your TOTP auth factor. If you don't see any notice like that then you are not among those who were potentially affected.
I will post an update here once that is done, in the meantime you don't need to take any action in particular.
On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - rhinosf1@gmail.com wrote:
What about those that do?
RhinosF1
On Fri, 17 Jan 2020 at 15:51, David Sharpe dsharpe@wikimedia.org wrote:
There is a team working on the Phabricator 2FA action item right now. More to come soon…
No action is required for people without 2FA configured within
Phabricator.
On Jan 17, 2020, at 10:25 AM, RhinosF1 - rhinosf1@gmail.com wrote:
Can you also confirm we need to take NO action?
RhinosF1
On Fri, 17 Jan 2020 at 11:02, revi lists@revi.email wrote:
Hi,
If it is possible to do so, can you notify to the people whose 2FA
were
reset? I know at least few people who uses 2FA on Phab, and does not
read
emails from wikitech-l and/or wikimedia-l.
Thanks!
나의 iPhone에서 보냄
- 06:26, David Sharpe dsharpe@wikimedia.org 작성:
However, out of an abundance of caution, we are resetting all
Two-Factor
Authentication keys for Phabricator and invalidating the exposed login access tokens.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Thanks for the updates, transparency, and timely notifications.
I hope that I didn't sound like I was trying to be a pest earlier in this thread. What may have been clear to people who are familiar with Phabricator 2FA was not clear to me at the time.
That conversation helped provide more clarity. Thank you for taking the time to respond!
On Jan 20, 2020, at 11:30 PM, Pine W wiki.pine@gmail.com wrote:
Thanks for the updates, transparency, and timely notifications.
I hope that I didn't sound like I was trying to be a pest earlier in this thread. What may have been clear to people who are familiar with Phabricator 2FA was not clear to me at the time.
Pine ( https://meta.wikimedia.org/wiki/User:Pine ) _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The update was deployed last night just a bit after midnight UTC. Upon logging in, anyone with an affected auth factor should see a notification with instructions for how to proceed.
For the curious, you can see screenshots of the notification which I attached to the task for this change, T243247 [1].
[1]. https://phabricator.wikimedia.org/T243247
On Mon, Jan 20, 2020 at 8:17 PM Mukunda Modell mmodell@wikimedia.org wrote:
The plan is as follows:
Sometime in the near future, we will be invalidating the sessions of anyone who has an auth factor which was potentially affected. If you were one of the potentially affected users then the next time you log in to Phabricator, you should see a notification directing you to reset your TOTP auth factor. If you don't see any notice like that then you are not among those who were potentially affected.
I will post an update here once that is done, in the meantime you don't need to take any action in particular.
On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - rhinosf1@gmail.com wrote:
What about those that do?
RhinosF1
On Fri, 17 Jan 2020 at 15:51, David Sharpe dsharpe@wikimedia.org wrote:
There is a team working on the Phabricator 2FA action item right now. More to come soon…
No action is required for people without 2FA configured within
Phabricator.
On Jan 17, 2020, at 10:25 AM, RhinosF1 - rhinosf1@gmail.com wrote:
Can you also confirm we need to take NO action?
RhinosF1
On Fri, 17 Jan 2020 at 11:02, revi lists@revi.email wrote:
Hi,
If it is possible to do so, can you notify to the people whose 2FA
were
reset? I know at least few people who uses 2FA on Phab, and does not
read
emails from wikitech-l and/or wikimedia-l.
Thanks!
나의 iPhone에서 보냄
- 06:26, David Sharpe dsharpe@wikimedia.org 작성:
However, out of an abundance of caution, we are resetting all
Two-Factor
Authentication keys for Phabricator and invalidating the exposed
login
access tokens.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The spelling of ‘August’ is wrong in the second image on https://phabricator.wikimedia.org/T243247. Looks fine in the code though so not sure if fixed.
RhinosF1
On Thu, 23 Jan 2020 at 16:55, Mukunda Modell mmodell@wikimedia.org wrote:
The update was deployed last night just a bit after midnight UTC. Upon logging in, anyone with an affected auth factor should see a notification with instructions for how to proceed.
For the curious, you can see screenshots of the notification which I attached to the task for this change, T243247 [1].
[1]. https://phabricator.wikimedia.org/T243247
On Mon, Jan 20, 2020 at 8:17 PM Mukunda Modell mmodell@wikimedia.org wrote:
The plan is as follows:
Sometime in the near future, we will be invalidating the sessions of anyone who has an auth factor which was potentially affected. If you were one of the potentially affected users then the next time you log in to Phabricator, you should see a notification directing you to reset your
TOTP
auth factor. If you don't see any notice like that then you are not among those who were potentially affected.
I will post an update here once that is done, in the meantime you don't need to take any action in particular.
On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - rhinosf1@gmail.com wrote:
What about those that do?
RhinosF1
On Fri, 17 Jan 2020 at 15:51, David Sharpe dsharpe@wikimedia.org
wrote:
There is a team working on the Phabricator 2FA action item right now. More to come soon…
No action is required for people without 2FA configured within
Phabricator.
On Jan 17, 2020, at 10:25 AM, RhinosF1 - rhinosf1@gmail.com
wrote:
Can you also confirm we need to take NO action?
RhinosF1
On Fri, 17 Jan 2020 at 11:02, revi lists@revi.email wrote:
Hi,
If it is possible to do so, can you notify to the people whose 2FA
were
reset? I know at least few people who uses 2FA on Phab, and does
not
read
emails from wikitech-l and/or wikimedia-l.
Thanks!
나의 iPhone에서 보냄
> 2020. 1. 17. 06:26, David Sharpe dsharpe@wikimedia.org 작성: > > However, out of an abundance of caution, we are resetting all
Two-Factor
Authentication keys for Phabricator and invalidating the exposed
login
access tokens.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org