On Thu, 3 May 2018 19:27:16 -0500 John Bennett jbennett@wikimedia.org wrote:
Hello,
Many of you may have been receiving emails in the last 24 hours warning you of "Multiple failed attempts to log in" with your account. I wanted to let you know that the Wikimedia Foundation's Security team is aware of the situation, and working with others in the organization on steps to decrease the success of attacks like these.
The exact source is not yet known, but it is not originating from our systems. That means it is an external effort to gain unauthorized access to random accounts. These types of efforts are increasingly common for websites of our reach. A vast majority of these attempts have been unsuccessful, and we are reaching out personally to the small number of accounts which we believe have been compromised.
While we are constantly looking at improvements to our security systems and processes to offset the impact of malicious efforts such as these, the best method of prevention continues to be the steps each of you take to safeguard your accounts. Because of this, we have taken steps in the past to support things like stronger password requirements,[1] and we continue to encourage everyone to take some routine steps to maintain a secure computer and account. That includes regularly changing your passwords,[2] actively running antivirus software on your systems, and keeping your system software up to date.
From my experience, anti-virus programs usually do more harm than good. For example, https://en.wikipedia.org/wiki/Norton_AntiVirus recently blocked my entire shlomifish.org domain because it apparently misclassified an executable download as problematic (and it was built from source using https://en.wikipedia.org/wiki/CMake and https://en.wikipedia.org/wiki/AppVeyor so it is unlikely that that is the case.). MS Windows' poor resistance to malware and the fact that Windows Update is so dysfunctional (see http://www.shlomifish.org/humour/bits/facts/Windows-Update/ ) are the reasons why I cannot recommend running it as a desktop, and instead one should use https://en.wikipedia.org/wiki/Linux#Desktop - desktop linux or similar.
A little off topic perhaps, but needs to be said.
My team will continue to investigate this incident, and report back if we notice any concerning changes. If you have any questions, please contact the Support and Safety team (susa{{@}}wikimedia.org).
John Bennett Director of Security, Wikimedia Foundation
[1] https://meta.wikimedia.org/wiki/Password_strength_requirements [2] https://meta.wikimedia.org/wiki/Special:ChangePassword _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe