Page MenuHomePhabricator
Create Task
Maniphest T271624

Repeated multiple failed attempts to log into user accounts (leading to email notifications)
Closed, ResolvedPublicSecurity
Actions

Description

There's a few threads on enwiki going on about increased account hacking activity. For example, here. Opening this just so folks are aware.

Event Timeline

RoySmith created this task.Jan 9 2021, 10:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2021, 10:00 PM
RoySmith added a subscriber: Xaosflux.Jan 9 2021, 10:22 PM
RoySmith added a subscriber: Johnuniq.Jan 9 2021, 10:25 PM
Daimona subscribed.Jan 9 2021, 10:52 PM
Aklapper renamed this task from Multiple account hacking attempts today to Repeated multiple failed attempts to log into user accounts (leading to email notifications).Jan 10 2021, 4:52 PM
DannyS712 subscribed.Jan 11 2021, 12:23 AM
Tgr subscribed.Jan 11 2021, 2:26 AM
<Reedy> https://grafana.wikimedia.org/d/000000004/authentication-metrics?viewPanel=10&orgId=1&from=now-2d&to=now
<Reedy> Been quite an increase in failed logins for ~30H
<Reedy> Quick look at some logs, looks like a form of dictionary/enumeration type attack again accounts

Per grafana, lasted from Friday 10 AM to Saturday 4 PM UTC, with something like 1500 login attempts / min.

As long as you use a strong unique password, you don't need to worry about attacks like these.

Reedy subscribed.Jan 11 2021, 4:14 PM

Graph for reference

Screenshot 2021-01-09 at 19.39.21.png (966×2 px, 175 KB)

Reedy moved this task from Incoming to Watching on the Security-Team board.Jan 11 2021, 4:19 PM
Tgr added a comment.Jan 11 2021, 7:23 PM

The attacks did not continue and did not expose any weakness so unless the Security team wants to follow up IMO we can close this task.

sbassett closed this task as Resolved.Jan 11 2021, 10:34 PM
sbassett assigned this task to Tgr.
sbassett triaged this task as Low priority.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett subscribed.

so unless the Security team wants to follow up IMO we can close this task.

I think we can close the task for now. If the spikes come back we can re-open or file a new task. I'm not sure there's much we can analyze here other than noting where the spikes originated.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 12 2021, 1:24 AM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL