lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grant Ingersoll <gsing...@apache.org>
Subject Re: issues.apache.org compromised: please update your passwords
Date Tue, 13 Apr 2010 23:49:33 GMT
FYI, this is for real.  Some have asked me if it is made up.  I don't know who owns that user,
so we should ask on infra, I suspect.  Also, this applies to all  user accounts too on JIRA.

On Apr 13, 2010, at 12:25 PM, root@apache.org wrote:

> Dear Lucene Developers,
> 
> You are receiving this email because you have a login, 'java-dev@lucene.apache.org',
on the Apache JIRA installation, https://issues.apache.org/jira/
> 
> On April 6 the issues.apache.org server was hacked. The attackers were able to install
a trojan JIRA login screen and later get full root access:
> 
> https://blogs.apache.org/infra/entry/apache_org_04_09_2010
> 
> We are assuming that the attackers have a copy of the JIRA database, which includes a
hash (SHA-512 unsalted) of the password
> you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If the password you
set was not of great quality (eg. based on a dictionary word), it
> should be assumed that the attackers can guess your password from the password hash via
brute force.
> 
> The upshot is that someone malicious may know both your email address and a password
of yours.
> 
> This is a problem because many people reuse passwords across online services. If you
reuse passwords across systems, we urge you to change
> your passwords on ALL SYSTEMS that might be using the compromised JIRA password. Prime
examples might be gmail or hotmail accounts, online
> banking sites, or sites known to be related to your email's domain, lucene.apache.org.
> 
> Naturally we would also like you to reset your JIRA password. That can be done at:
> 
> https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?username=java-dev@lucene.apache.org
> 
> We (the Apache JIRA administrators) sincerely apologize for this security breach. If
you have any questions, please let us know by email.
> We are also available on the #asfinfra IRC channel on irc.freenode.net.
> 
> 
> Regards,
> 
> The Apache Infrastructure Team
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: java-dev-help@lucene.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-dev-help@lucene.apache.org


Mime
View raw message