Page MenuHomePhabricator
Create Task
Maniphest T193769

Thousands of failed login attempts (wrong password)
Closed, ResolvedPublic
Actions

Description

The number of failed login attempts due to a wrong password has increased abnormally.

The authentication metrics suggests that bots are trying to brute-force passwords. Several contributors receive the following notification: "There has been a failed attempt to log in to your account from a new device. Please make sure your account has a strong password".

Public version of private dupe T193762

Longer explanation for community members below - also on Wikimedia-l
Sysops and other users with advanced user rights can enable two-factor authentication.

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Taiwania_Justo subscribed.May 4 2018, 8:54 AM
FireFeather subscribed.May 4 2018, 9:06 AM
abian subscribed.May 4 2018, 9:08 AM
Elitre subscribed.May 4 2018, 9:41 AM
Elitre updated the task description. (Show Details)May 4 2018, 9:43 AM
Aklapper removed a project: SRE.May 4 2018, 9:54 AM
Mbch331 subscribed.May 4 2018, 10:39 AM
Altt311 subscribed.May 4 2018, 10:57 AM
Peachey88 added a subtask: T193846: Publish analysis of sustained login attack of 3 May 2018.May 4 2018, 11:16 AM
Trijnstel subscribed.May 4 2018, 11:19 AM
Tiven2240 subscribed.May 4 2018, 1:18 PM

On Marathi Wikipedia too we have got users complaining that there are notification of Failed Login attempts.

Users affected list can be found at https://mr.wikipedia.org/wiki/विकिपीडिया:मे_२०१८_सजगता_संदेश

Is there any matters to worry?.

Regards
Tiven2240
Admin MrWp

MGChecker subscribed.May 4 2018, 1:54 PM
Elitre added a comment.May 4 2018, 1:56 PM
In T193769#4182030, @Tiven2240 wrote:

On Marathi Wikipedia too we have got users complaining that there are notification of Failed Login attempts.

Users affected list can be found at https://mr.wikipedia.org/wiki/विकिपीडिया:मे_२०१८_सजगता_संदेश

Is there any matters to worry?.

Regards
Tiven2240
Admin MrWp

See https://lists.wikimedia.org/pipermail/wikimedia-l/2018-May/090145.html . You may recommend that all users with advanced user rights at your wiki enable further security steps such as https://meta.wikimedia.org/wiki/Help:Two-factor_authentication .

Elitre updated the task description. (Show Details)May 4 2018, 1:57 PM
Londonjackbooks subscribed.May 4 2018, 2:01 PM
Bawolff added a comment.May 4 2018, 2:52 PM

Is there any matters to worry?.

You should generally not worry about the current situation. We are monitoring closely. As always please ensure you are using a strong password.

Kuailong subscribed.May 4 2018, 2:52 PM
xSavitar subscribed.May 4 2018, 2:58 PM
Bawolff added a comment.May 4 2018, 3:18 PM
In T193769#4180966, @EtaoinWu wrote:

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

We have a pretty good idea why that happened. Rest assured, the attacker did not find a way to bypass captchas.

AntiCompositeNumber subscribed.May 4 2018, 3:25 PM
Bawolff added a subtask: Restricted Task.May 4 2018, 5:21 PM
revi subscribed.May 4 2018, 5:30 PM
Huji subscribed.May 4 2018, 5:45 PM
In T193769#4180966, @EtaoinWu wrote:

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

Or they gave up (temporarily)? Don't jump to conclusions so quickly :)

Huji added a comment.May 4 2018, 5:47 PM

For the record: also report on fawiki (and apparently, the attack was not through fawiki itself, but through enwiki).

Bawolff added a comment.May 4 2018, 5:53 PM
In T193769#4182826, @Huji wrote:
In T193769#4180966, @EtaoinWu wrote:

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

Or they gave up (temporarily)? Don't jump to conclusions so quickly :)

No, it was something I specifically did at about 18:20 that would result in a change to the stats. (Nothing to see here, move along ;)

Huji added a comment.May 4 2018, 6:13 PM

Cool cool!

Matthewrbowker subscribed.May 4 2018, 8:38 PM
Udo_T unsubscribed.May 5 2018, 4:12 PM
Dvorapa subscribed.May 5 2018, 5:43 PM
This comment was removed by Dvorapa.
Cirdan subscribed.May 5 2018, 5:46 PM
Pine added a project: WMF-Legal.May 6 2018, 5:00 AM
Pine subscribed.

In addition to technical security mitigation and investigation, I hope that WMF Legal is involved in this matter, perhaps on one or more restricted Phab task(s). Feel free to revert my tagging of WMF-Legal on this task if someone with relevant knowledge thinks that the tag is unnecessary.

Ed7789 subscribed.May 6 2018, 1:13 PM
matej_suchanek subscribed.May 6 2018, 4:38 PM
Base subscribed.May 6 2018, 4:39 PM
Aklapper removed a project: WMF-Legal.May 7 2018, 10:38 AM
Aklapper mentioned this in T194025: Thousands of logging throttled into Wikimedia accounts going on (ongoing bruteforce attack?).May 7 2018, 11:17 AM
MarcoAurelio subscribed.May 7 2018, 11:18 AM
Rxy subscribed.May 7 2018, 11:20 AM
Reedy merged a task: T194025: Thousands of logging throttled into Wikimedia accounts going on (ongoing bruteforce attack?).May 7 2018, 12:02 PM
Reedy added a subscriber: Bsadowski1.
zhuyifei1999 subscribed.May 7 2018, 12:41 PM
MarcoAurelio added a comment.May 7 2018, 3:38 PM

Can I please be added to T193762 ? Thanks.

Paladox added a comment.May 7 2018, 3:58 PM

You carnt be added unless you have signed the nda.

Bawolff added a comment.May 7 2018, 4:02 PM
In T193769#4187140, @MarcoAurelio wrote:

Can I please be added to T193762 ? Thanks.

Sorry, but for the duration of the incident we are limiting the bug to people in the security group, and won't be adding others unless they have a "need to know"

Lnnocentius unsubscribed.May 7 2018, 4:07 PM
Framawiki subscribed.May 7 2018, 5:24 PM
Bawolff added a comment.May 7 2018, 6:10 PM

Hi everyone. While the attacker continues to try and login, we are currently blocking his/her login attempts. At this time, there is no need to panic or do anything. We of course encourage all users to always use a strong password.

Blahma updated the task description. (Show Details)May 7 2018, 8:15 PM
Mholloway subscribed.May 7 2018, 8:17 PM
Dane2007 added a comment.May 7 2018, 8:25 PM

2FA is currently available for "Edit filter manager" but not "Edit filter helper" (which can view the filters on enwiki). Would it be prudent to enable access to 2FA for that group? What about "Account Creator"?

MarcoAurelio added a comment.May 7 2018, 9:06 PM

Established users that are not in user groups that would let them use 2FA by default can request at https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_other_global_permissions to be added to the global oathauth-tester group so they can enable the feature on their accounts; provided that they've read and understood https://meta.wikimedia.org/wiki/Help:Two-factor_authentication specially with regards to the recovery tokens (scratch codes).

oteishisama subscribed.May 7 2018, 10:06 PM
Huji updated the task description. (Show Details)May 7 2018, 11:31 PM
JJMC89 subscribed.May 8 2018, 1:42 AM
OhKayeSierra subscribed.May 8 2018, 6:00 AM
Reedy removed a subtask: T194160: Unlock the login of bot user TaxonBot@TaxonBot to dewiki.May 8 2018, 2:29 PM
Richard923888 subscribed.May 8 2018, 3:26 PM
cg870456982 subscribed.May 8 2018, 4:47 PM
Troubled.asset subscribed.May 8 2018, 7:51 PM
Liuxinyu970226 subscribed.May 10 2018, 11:16 AM
Andykoo1990 subscribed.May 14 2018, 12:33 AM
xiaanan subscribed.May 21 2018, 7:35 AM
ToBeFree subscribed.May 22 2018, 10:01 AM
FranklinYu subscribed.May 23 2018, 5:43 PM
TerraCodes subscribed.Jun 2 2018, 8:19 AM
BethNaught subscribed.Jun 20 2018, 7:32 PM
Malyacko subscribed.Jun 29 2018, 10:41 AM
Vvjjkkii renamed this task from Thousands of failed login attempts (wrong password) to uodaaaaaaa.Jul 1 2018, 1:12 AM
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: MarcoAurelio, Huji, Aklapper.
Arkanosis renamed this task from uodaaaaaaa to Thousands of failed login attempts (wrong password).Jul 1 2018, 10:03 AM
Arkanosis updated the task description. (Show Details)
Arkanosis added subscribers: MarcoAurelio, Huji, Aklapper.
Arkanosis removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.Jul 1 2018, 10:06 AM
matmarex subscribed.Aug 30 2018, 11:58 PM
Bawolff moved this task from Incoming to To Follow Up on the Security-Team board.Sep 4 2018, 4:25 PM
chasemp mentioned this in T150300: icinga notification if elevated writing to badpass.log.Oct 2 2018, 12:50 PM
Tgr subscribed.Oct 31 2018, 10:31 PM

Is there anything actionable in this task? If not, it can probably should be closed and the generic suggestions about login hardening moved to a generic tracking task.

Elitre unsubscribed.Nov 8 2018, 5:03 PM
1997kB unsubscribed.Dec 1 2018, 2:39 AM
Aklapper added a subscriber: JBennett.Mar 11 2019, 11:11 AM

@JBennett: No updates for ten months. What is left to do in this task? Should it be closed or have a lower priority nowadays? Same question for the subtask...

Tiven2240 unsubscribed.Mar 11 2019, 12:24 PM
sbassett closed subtask Restricted Task as Resolved.Aug 13 2019, 10:21 PM
Jcross closed subtask T193846: Publish analysis of sustained login attack of 3 May 2018 as Resolved.Sep 23 2019, 4:11 PM
Jcross moved this task from To Follow Up to Waiting on the Security-Team board.
Jcross closed this task as Resolved.Sep 23 2019, 4:23 PM
Jcross claimed this task.
Jcross subscribed.

As nothing additional is required on this task, the Security Team is resolving. Please feel free to submit a new ticket should additional / further action be required.

sbassett moved this task from Waiting to Our Part Is Done on the Security-Team board.Sep 23 2019, 4:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL