Do i realy have to change my password!why?
-original message-
Subject: Wikimania-l Digest, Vol 91, Issue 3
From: [email protected]
Date: 03/10/2013 21:12
Send Wikimania-l mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wikimania-l digest..."
Today's Topics:
1. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Michael Peel)
2. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Nathan)
3. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Casey Brown)
4. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Chris Steipp)
5. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Michael Peel)
6. Re: Fwd: [Wikimedia-l] Notification about Wikimedia user
account security issue (Risker)
----------------------------------------------------------------------
Message: 1
Date: Thu, 3 Oct 2013 18:17:50 +0100
From: Michael Peel <[email protected]>
To: "Wikimania general list \(open subscription\)"
<[email protected]>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
They look like they're linked into CentralAuth/global accounts/SUL to me…
Thanks,
Mike
On 3 Oct 2013, at 18:06, Risker <[email protected]> wrote:
> Please note that it is especially important to change your passwords on the
> Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013 and
> 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
>
> I agree with others that the risk is very, very small; nonetheless, it is not
> non-existent.
>
> Risker/Anne
>
> On 3 October 2013 05:36, Orsolya Gyenes <[email protected]> wrote:
> Yeah, I already gotten my mail... great... :(
>
> ~Orsolya
>
>
> 2013/10/3 Katie Chan <[email protected]>
> FYI, especially since wikimania2013 & wikimania2014 are two of the affected
> wikis.
>
> ---------- Forwarded message ----------
> From: Erik Moeller <[email protected]>
> Date: 3 October 2013 06:56
> Subject: [Wikimedia-l] Notification about Wikimedia user account security
> issue
> To: Wikimedia Mailing List <[email protected]>
>
>
> See also:
> https://meta.wikimedia.org/wiki/October_2013_private_data_security_issue
>
> On October 1, 2013, we learned about an implementation error that made
> private user information (specifically, user email addresses, password
> hashes, session tokens, and last login timestamp) for approximately
> 37,000 Wikimedia project users accessible to volunteers with access to
> the Wikimedia "LabsDB" infrastructure.
>
> LabsDB, launched in May 2013, is designed to give volunteers the
> ability to write tools and generate reports that make use of data from
> our databases in real-time. This supports bottom-up innovation by the
> Wikimedia community. As part of this process, private data is
> automatically redacted before volunteers are given access to the data.
> Unfortunately, for some of Wikimedia’s wikis[1], the database triggers
> used to redact private data failed to take effect due to a schema
> incompatibility, and LabsDB users had access to private user data for
> some user accounts in these specific wiki databases. As of October 1,
> 228 users have access to LabsDB, and the window of availability of
> this data was May 29, 2013 to October 1, 2013.
>
> This issue was discovered and reported by a trusted volunteer, and
> access to the data in question was revoked within 15 minutes of the
> report. We have no evidence to suggest that the private data in
> question was exported in bulk or used for malicious purposes, but we
> cannot definitively exclude the possibility. As a precautionary
> measure, we have invalidated all affected user sessions, and are
> requiring affected users to change their password on their next login.
>
> We have also sent an email notification to affected users with a
> confirmed email address.
>
> We regret this mistake. LabsDB is still a new part of our
> infrastructure, and we will fully audit the redaction process, so as
> to minimize any risk of a future mistake of this nature.
>
> Sincerely,
> Erik Moeller
> Vice President of Engineering & Product Development
>
> Contact information
>
> Should you have any questions, please contact us via email to:
>
> [email protected]
>
> You can also reach the Wikimedia Foundation at:
>
> Wikimedia Foundation, Inc.
> 149 New Montgomery Street
> Floor 6
> San Francisco, CA 94105
> United States
> Phone: +1-415-839-6885
> Fax: +1-415-882-0495
>
> [1] List of affected databases: aswikisource bewikisource dewikivoyage
> elwikivoyage enwikivoyage eswikivoyage frwikivoyage guwikisource
> hewikivoyage itwikivoyage kowikiversity lezwiki loginwiki minwiki
> nlwikivoyage plwikivoyage ptwikivoyage rowikivoyage ruwikivoyage
> sawikiquote slwikiversity svwikivoyage testwikidatawiki tyvwiki
> ukwikivoyage vecwiktionary votewiki wikidatawiki wikimania2013wiki
> wikimania2014wiki
>
>
> --
> Erik Möller
> VP of Engineering and Product Development, Wikimedia Foundation
>
> _______________________________________________
> Wikimedia-l mailing list
> [email protected]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[email protected]?subject=unsubscribe>
>
>
>
> --
> Katie Chan
> Volunteer Support Organiser
> Wikimedia UK
> +44 (0) 20 7065 0990
> +44 (0) 7885 980 534
>
> Wikimedia UK is a Charitable Company registered in England and Wales.
> Registered Company No. 6741827. Registered Charity No.1144513.
> Registered Office: 4th Floor, Development House, 56-64 Leonard Street, London
> EC2A 4LT. United Kingdom.
> Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia
> projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst
> other projects).
>
> Wikimedia UK is an independent non-profit charity with no legal control over
> Wikipedia nor responsibility for its contents.
>
>
> _______________________________________________
> Wikimania-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/wikimania-l
>
>
>
> _______________________________________________
> Wikimania-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/wikimania-l
>
>
> _______________________________________________
> Wikimania-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/wikimania-l
------------------------------
Message: 2
Date: Thu, 3 Oct 2013 13:18:12 -0400
From: Nathan <[email protected]>
To: "Wikimania general list (open subscription)"
<[email protected]>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<CALKX9dQcGQ1cKKGqBcpBhEMgHd0och-kYCGMDe13+sHOkLo=t...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Thu, Oct 3, 2013 at 1:06 PM, Risker <[email protected]> wrote:
> Please note that it is especially important to change your passwords on the
> Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013
> and 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
>
> I agree with others that the risk is very, very small; nonetheless, it is
> not non-existent.
>
> Risker/Anne
It sounds like they've already scrambled the passwords as part of
requiring the password reset procedure. Even if they haven't, Erik's
description of precautionary measures should mean that access to your
Wikimania (etc) accounts is disabled prior to a password reset using
your e-mail, so there's no real risk that someone will get into your
account (unless they can also get into your e-mail).
But normally notices of compromised passwords include standard
language suggesting that users change their passwords for any other
login where they've used similar information, in case the combination
of name and password is sold or someone attempts to use their
knowledge of you to access your information on other sites. Perhaps
that is part of the e-mail notification the WMF sent; if not, it's
good practice.
~Nathan
------------------------------
Message: 3
Date: Thu, 3 Oct 2013 14:43:12 -0400
From: Casey Brown <[email protected]>
To: "Wikimania general list (open subscription)"
<[email protected]>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<ca+txisvnqkre6m8fzxzojsqs2ccejuzqctpgwaui-f4lxye...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Oct 3, 2013 at 1:06 PM, Risker <[email protected]> wrote:
> Please note that it is especially important to change your passwords on the
> Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013
> and 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
Actually, changing your SUL password should change your password on
all your attached Wikimedia wikis accounts. This includes all public
wikis, but does not include private or fishbowl ones. So, for example,
if you also used the same password on wikimaniateamwiki or
foundationwiki, you will need to change it separately there.
On Thu, Oct 3, 2013 at 1:18 PM, Nathan <[email protected]> wrote:
> But normally notices of compromised passwords include standard
> language suggesting that users change their passwords for any other
> login where they've used similar information, in case the combination
> of name and password is sold or someone attempts to use their
> knowledge of you to access your information on other sites. Perhaps
> that is part of the e-mail notification the WMF sent; if not, it's
> good practice.
This too. If you used the same password combination elsewhere (you
shouldn't, but people often do), then you should change those too.
--
Casey Brown (Cbrown1023)
caseybrown.org
------------------------------
Message: 4
Date: Thu, 3 Oct 2013 13:43:46 -0700
From: Chris Steipp <[email protected]>
To: "Wikimania general list (open subscription)"
<[email protected]>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<cakcmtdzv5rcomj0aqhe1sc7x_peczy99sqsyra7mnp_qsdk...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Thu, Oct 3, 2013 at 10:06 AM, Risker <[email protected]> wrote:
> Please note that it is especially important to change your passwords on
> the Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013
> and 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
>
wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part
of SUL, so most users should use their CentralAuth account to login. They
are slightly odd in that we don't give you a cookie for those sites when
you initially login on another wiki, but with SUL2, you *should* get logged
in when you visit the site.
However, since SUL2 is relatively new, and you wouldn't get automatically
logged in when visiting the site with the original SUL, I'm guessing many
users visited the wikimania sites for the first time, logged in with their
centralauth username and password, and continued on their way, which is one
of the conditions where the local wiki stores the password hash used to
initially create the account. So there is probably a higher number of users
here who were notified, than on some of the other wikis.
>
> I agree with others that the risk is very, very small; nonetheless, it is
> not non-existent.
>
Totally agree.
>
> Risker/Anne
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.wikimedia.org/pipermail/wikimania-l/attachments/20131003/cb5ef202/attachment-0001.html>
------------------------------
Message: 5
Date: Thu, 3 Oct 2013 21:51:26 +0100
From: Michael Peel <[email protected]>
To: "Wikimania general list \(open subscription\)"
<[email protected]>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
What does SUL2 mean? It doesn't seem to be documented at
https://meta.wikimedia.org/wiki/SUL
…
Thanks,
Mike
On 3 Oct 2013, at 21:43, Chris Steipp <[email protected]> wrote:
>
> On Thu, Oct 3, 2013 at 10:06 AM, Risker <[email protected]> wrote:
> Please note that it is especially important to change your passwords on the
> Wikimania wikis where you have accounts. These are non-SUL wikis and
> changing your SUL password will not effect a change on the Wikimania 2013 and
> 2014 wikis. Even if you never intend to edit those wikis again, your
> password and account could still hypothetically be compromised.
>
> wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part of
> SUL, so most users should use their CentralAuth account to login. They are
> slightly odd in that we don't give you a cookie for those sites when you
> initially login on another wiki, but with SUL2, you *should* get logged in
> when you visit the site.
>
> However, since SUL2 is relatively new, and you wouldn't get automatically
> logged in when visiting the site with the original SUL, I'm guessing many
> users visited the wikimania sites for the first time, logged in with their
> centralauth username and password, and continued on their way, which is one
> of the conditions where the local wiki stores the password hash used to
> initially create the account. So there is probably a higher number of users
> here who were notified, than on some of the other wikis.
>
>
> I agree with others that the risk is very, very small; nonetheless, it is not
> non-existent.
>
> Totally agree.
>
>
> Risker/Anne
>
>
> _______________________________________________
> Wikimania-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/wikimania-l
------------------------------
Message: 6
Date: Thu, 3 Oct 2013 17:12:52 -0400
From: Risker <[email protected]>
To: "Wikimania general list (open subscription)"
<[email protected]>
Subject: Re: [Wikimania-l] Fwd: [Wikimedia-l] Notification about
Wikimedia user account security issue
Message-ID:
<capxs8yrcvnfepda217zipfkfuh9qicej0ghq3a0bmaxf81f...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On 3 October 2013 16:43, Chris Steipp <[email protected]> wrote:
>
> On Thu, Oct 3, 2013 at 10:06 AM, Risker <[email protected]> wrote:
>
>> Please note that it is especially important to change your passwords on
>> the Wikimania wikis where you have accounts. These are non-SUL wikis and
>> changing your SUL password will not effect a change on the Wikimania 2013
>> and 2014 wikis. Even if you never intend to edit those wikis again, your
>> password and account could still hypothetically be compromised.
>>
>
> wikimania2013.wikimedia.org and wikimania2014.wikimedia.org are both part
> of SUL, so most users should use their CentralAuth account to login. They
> are slightly odd in that we don't give you a cookie for those sites when
> you initially login on another wiki, but with SUL2, you *should* get logged
> in when you visit the site.
>
> However, since SUL2 is relatively new, and you wouldn't get automatically
> logged in when visiting the site with the original SUL, I'm guessing many
> users visited the wikimania sites for the first time, logged in with their
> centralauth username and password, and continued on their way, which is one
> of the conditions where the local wiki stores the password hash used to
> initially create the account. So there is probably a higher number of users
> here who were notified, than on some of the other wikis.
>
>
>>
>
>
That's odd, Chris - I distinctly remember that I could not log in to either
2013 or 2014 Wikimania wikis but was required to create a new
account. Perhaps that was before SUL2?
Risker/Anne
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.wikimedia.org/pipermail/wikimania-l/attachments/20131003/b8057092/attachment.html>
------------------------------
_______________________________________________
Wikimania-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
End of Wikimania-l Digest, Vol 91, Issue 3
******************************************
_______________________________________________
Wikimania-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikimania-l
