FYI, this is for real. Some have asked me if it is made up. I don't know who owns that user, so we should ask on infra, I suspect. Also, this applies to all user accounts too on JIRA.
On Apr 13, 2010, at 12:25 PM, r...@apache.org wrote: > Dear Lucene Developers, > > You are receiving this email because you have a login, > 'java-dev@lucene.apache.org', on the Apache JIRA installation, > https://issues.apache.org/jira/ > > On April 6 the issues.apache.org server was hacked. The attackers were able > to install a trojan JIRA login screen and later get full root access: > > https://blogs.apache.org/infra/entry/apache_org_04_09_2010 > > We are assuming that the attackers have a copy of the JIRA database, which > includes a hash (SHA-512 unsalted) of the password > you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If the > password you set was not of great quality (eg. based on a dictionary word), it > should be assumed that the attackers can guess your password from the > password hash via brute force. > > The upshot is that someone malicious may know both your email address and a > password of yours. > > This is a problem because many people reuse passwords across online services. > If you reuse passwords across systems, we urge you to change > your passwords on ALL SYSTEMS that might be using the compromised JIRA > password. Prime examples might be gmail or hotmail accounts, online > banking sites, or sites known to be related to your email's domain, > lucene.apache.org. > > Naturally we would also like you to reset your JIRA password. That can be > done at: > > https://issues.apache.org/jira/secure/forgotpassword!default.jspa?username=java-...@lucene.apache.org > > We (the Apache JIRA administrators) sincerely apologize for this security > breach. If you have any questions, please let us know by email. > We are also available on the #asfinfra IRC channel on irc.freenode.net. > > > Regards, > > The Apache Infrastructure Team > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org > For additional commands, e-mail: java-dev-h...@lucene.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org For additional commands, e-mail: java-dev-h...@lucene.apache.org
