FYI, this is for real.  Some have asked me if it is made up.  I don't know who 
owns that user, so we should ask on infra, I suspect.  Also, this applies to 
all  user accounts too on JIRA.

On Apr 13, 2010, at 12:25 PM, r...@apache.org wrote:

> Dear Lucene Developers,
> 
> You are receiving this email because you have a login, 
> 'java-dev@lucene.apache.org', on the Apache JIRA installation, 
> https://issues.apache.org/jira/
> 
> On April 6 the issues.apache.org server was hacked. The attackers were able 
> to install a trojan JIRA login screen and later get full root access:
> 
> https://blogs.apache.org/infra/entry/apache_org_04_09_2010
> 
> We are assuming that the attackers have a copy of the JIRA database, which 
> includes a hash (SHA-512 unsalted) of the password
> you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If the 
> password you set was not of great quality (eg. based on a dictionary word), it
> should be assumed that the attackers can guess your password from the 
> password hash via brute force.
> 
> The upshot is that someone malicious may know both your email address and a 
> password of yours.
> 
> This is a problem because many people reuse passwords across online services. 
> If you reuse passwords across systems, we urge you to change
> your passwords on ALL SYSTEMS that might be using the compromised JIRA 
> password. Prime examples might be gmail or hotmail accounts, online
> banking sites, or sites known to be related to your email's domain, 
> lucene.apache.org.
> 
> Naturally we would also like you to reset your JIRA password. That can be 
> done at:
> 
> https://issues.apache.org/jira/secure/forgotpassword!default.jspa?username=java-...@lucene.apache.org
> 
> We (the Apache JIRA administrators) sincerely apologize for this security 
> breach. If you have any questions, please let us know by email.
> We are also available on the #asfinfra IRC channel on irc.freenode.net.
> 
> 
> Regards,
> 
> The Apache Infrastructure Team
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
> For additional commands, e-mail: java-dev-h...@lucene.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: java-dev-h...@lucene.apache.org

Reply via email to