Thousands of failed login attempts (wrong password)
Open, HighPublic

Description

The number of failed login attempts due to a wrong password has increased abnormally.

The authentication metrics suggests that bots are trying to brute-force passwords. Several contributors receive the following notification: "There has been a failed attempt to log in to your account from a new device. Please make sure your account has a strong password".

Public version of private dupe T193762

Longer explanation for community members below - also on Wikimedia-l
Sysops and other users with advanced user rights can enable two-factor authentication.

There are a very large number of changes, so older changes are hidden. Show Older Changes

Spotted by the Hungarian Community too.

0x010C added a subscriber: 0x010C.May 4 2018, 6:52 AM
Yann added a subscriber: Yann.May 4 2018, 8:02 AM
Yann added a comment.May 4 2018, 8:05 AM

FYI, there were several attempts yesterday, and again today, both on the English Wikipedia.

Az1568 added a subscriber: Az1568.May 4 2018, 8:07 AM
Tomybrz added a subscriber: Tomybrz.May 4 2018, 8:08 AM
Woclass added a subscriber: Woclass.May 4 2018, 8:09 AM
1997kB added a subscriber: 1997kB.May 4 2018, 8:22 AM
abian added a subscriber: abian.May 4 2018, 9:08 AM
Elitre added a subscriber: Elitre.May 4 2018, 9:41 AM
Elitre updated the task description. (Show Details)May 4 2018, 9:43 AM

On Marathi Wikipedia too we have got users complaining that there are notification of Failed Login attempts.

Users affected list can be found at https://mr.wikipedia.org/wiki/विकिपीडिया:मे_२०१८_सजगता_संदेश

Is there any matters to worry?.

Regards
Tiven2240
Admin MrWp

Elitre added a comment.May 4 2018, 1:56 PM

On Marathi Wikipedia too we have got users complaining that there are notification of Failed Login attempts.

Users affected list can be found at https://mr.wikipedia.org/wiki/विकिपीडिया:मे_२०१८_सजगता_संदेश

Is there any matters to worry?.

Regards
Tiven2240
Admin MrWp

See https://lists.wikimedia.org/pipermail/wikimedia-l/2018-May/090145.html . You may recommend that all users with advanced user rights at your wiki enable further security steps such as https://meta.wikimedia.org/wiki/Help:Two-factor_authentication .

Elitre updated the task description. (Show Details)May 4 2018, 1:57 PM

Is there any matters to worry?.

You should generally not worry about the current situation. We are monitoring closely. As always please ensure you are using a strong password.

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

We have a pretty good idea why that happened. Rest assured, the attacker did not find a way to bypass captchas.

Bawolff added a subtask: Restricted Task.May 4 2018, 5:21 PM
revi added a subscriber: revi.May 4 2018, 5:30 PM
Huji added a subscriber: Huji.May 4 2018, 5:45 PM

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

Or they gave up (temporarily)? Don't jump to conclusions so quickly :)

Huji added a comment.May 4 2018, 5:47 PM

For the record: also report on fawiki (and apparently, the attack was not through fawiki itself, but through enwiki).

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

Or they gave up (temporarily)? Don't jump to conclusions so quickly :)

No, it was something I specifically did at about 18:20 that would result in a change to the stats. (Nothing to see here, move along ;)

Huji added a comment.May 4 2018, 6:13 PM

Cool cool!

Udo_T removed a subscriber: Udo_T.May 5 2018, 4:12 PM
Dvorapa added a subscriber: Dvorapa.May 5 2018, 5:43 PM
This comment was removed by Dvorapa.
Cirdan added a subscriber: Cirdan.May 5 2018, 5:46 PM
Pine added a subscriber: Pine.

In addition to technical security mitigation and investigation, I hope that WMF Legal is involved in this matter, perhaps on one or more restricted Phab task(s). Feel free to revert my tagging of WMF-Legal on this task if someone with relevant knowledge thinks that the tag is unnecessary.

Ed7789 added a subscriber: Ed7789.May 6 2018, 1:13 PM
Base added a subscriber: Base.May 6 2018, 4:39 PM
Rxy added a subscriber: Rxy.May 7 2018, 11:20 AM

Can I please be added to T193762 ? Thanks.

You carnt be added unless you have signed the nda.

Can I please be added to T193762 ? Thanks.

Sorry, but for the duration of the incident we are limiting the bug to people in the security group, and won't be adding others unless they have a "need to know"

Hi everyone. While the attacker continues to try and login, we are currently blocking his/her login attempts. At this time, there is no need to panic or do anything. We of course encourage all users to always use a strong password.

Blahma updated the task description. (Show Details)May 7 2018, 8:15 PM

2FA is currently available for "Edit filter manager" but not "Edit filter helper" (which can view the filters on enwiki). Would it be prudent to enable access to 2FA for that group? What about "Account Creator"?

Established users that are not in user groups that would let them use 2FA by default can request at https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_other_global_permissions to be added to the global oathauth-tester group so they can enable the feature on their accounts; provided that they've read and understood https://meta.wikimedia.org/wiki/Help:Two-factor_authentication specially with regards to the recovery tokens (scratch codes).

Huji updated the task description. (Show Details)May 7 2018, 11:31 PM
JJMC89 added a subscriber: JJMC89.May 8 2018, 1:42 AM
Vvjjkkii renamed this task from Thousands of failed login attempts (wrong password) to uodaaaaaaa.Jul 1 2018, 1:12 AM
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: MarcoAurelio, Huji, Aklapper.
Arkanosis renamed this task from uodaaaaaaa to Thousands of failed login attempts (wrong password).Jul 1 2018, 10:03 AM
Arkanosis updated the task description. (Show Details)
Arkanosis added subscribers: MarcoAurelio, Huji, Aklapper.
Bawolff moved this task from Backlog to To Follow Up on the Security-Team board.Sep 4 2018, 4:25 PM
Tgr added a subscriber: Tgr.Wed, Oct 31, 10:31 PM

Is there anything actionable in this task? If not, it can probably should be closed and the generic suggestions about login hardening moved to a generic tracking task.

Elitre removed a subscriber: Elitre.Thu, Nov 8, 5:03 PM