HomePhabricator
Phame Blogs Wikimedia Security Team J114
Additional details on OurMine

The guard rails I'll be following will be around the original blog post created by Darian Patrick in November 2016. I'll do my best to fill in what gaps I can.

What Happened?
The attackers targeted a small group of privileged and high profile users. It is most likely that the attackers were using passwords that had been published as part of dump of other compromised websites such as LinkedIn. This notion was also confirmed by compromised users that they were in fact recycling passwords across multiple sites with known password dumps. There was no evidence of system compromise.

What information was involved?
There is no evidence of any personal information being disclosed beyond usernames and passwords.

What was done about it?
Improved alerting and reporting to identify dictionary and brute force attacks
Extended password policy to mitigate attacks

John Bennett
Director of Security, Wikimedia Foundation

Previous Post
Details of dictionary attack from May 2018
Next Post
translatewiki.net security incident
Written by JBennett on Sep 7 2018, 6:37 PM.
User
Projects
Subscribers
Bawolff, Halfak
Tokens
"Like" token, awarded by Halfak.

Event Timeline

Halfak added a comment.Sep 7 2018, 6:51 PM

Was 2FA for admins part of this response?

JBennett added a comment.Sep 11 2018, 11:53 AM

This 1st round is really to address changes to our wiki password policy. Phase 2 is being planned and will address 2FA for privileged users.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits