blogs.perl.org security breach
We regret to announce that blogs.perl.org was recently the subject of a data breach.
An attacker gained access to the database that runs the site, and was able to take a copy of all users’ hashed passwords. We’ve therefore cleared all users’ passwords as a precaution.
If you have an account on the site, you should have received an email telling you how to reset your password. If you haven’t received it soon, please let us know.
Even though the passwords were stored in a hashed form, rather than as plaintext, the blogging software we use (Movable Type) uses a relatively weak hashing algorithm, so the attacker may be able to determine your old password.
It is therefore very important that, if you used the same password on any system other than blogs.perl.org, you change the password you use there, too.
We apologise sincerely for the inconvenience this has caused our users, and for failing to live up to the trust that the Perl community has placed in us.
We were alerted to the breach in the morning of 22 January 2014 (UTC). Our immediate response was to disable all dynamic code execution on the site, to give us chance to investigate the situation and make the necessary repairs. From that point on until a few moments ago, the dynamic parts of the site returned a “404 Not found” error.
Our investigation has revealed that the attacker used a security
vulnerability in Movable Type to upload a tool that allowed them to deface
the site, and to take the contents of the
mt_author table (which contains
names, email addresses, and hashed passwords). The contents of that table
were then leaked on a publicly-accessible site.
We have deleted the attacker’s tool, and reinstalled Movable Type from a known-good copy. We’ve also applied a patch that fixes the underlying MT vulnerability; that patch was issued out-of-band, without the release of a fixed version of the software.
Finally, we’ve applied a custom patch to Movable Type that makes it use SHA-512 (with 96 bits of high-grade entropy as a salt) rather than the Triple-DES hash it uses by default. (We’d’ve preferred to use something like bcrypt or scrypt instead, but Movable Type’s architecture made that a prohibitively difficult choice, given our desire to return the site to normal operation as soon as possible.)
This means that, to the best of our knowledge, the attacker will not be able to break in again; and even in the event of a similar breach in the future, it would be much harder for someone to recover a plain-text password from the password hash.
We’re also looking actively into replacing Movable Type in the near future, partly because it hasn’t been meeting our needs well. We hope to have more to announce on that front soon.
We reiterate our apologies for this. Please let us know if you have any further questions.
Update: You can reset your password here. Thanks to Ken Williams (in the comments) for suggesting adding this link.