On 14 January 2020, staff at the Wikimedia Foundation discovered that a data 
file exported from the Wikimedia Phabricator installation, our engineering task 
and ticket tracking system, had been made publicly available. The file was 
leaked accidentally; there was no intrusion. We have no evidence that it was 
ever viewed or accessed. The Foundation's Security team immediately began 
investigating the incident and removing the related files. The data dump 
included limited non-public information such as private tickets, login access 
tokens, and the second factor of the two-factor authentication keys for 
Phabricator accounts.  Passwords and full login information for Phabricator 
were not affected -- that information is stored in another, unaffected system.

The Security team has investigated and assesses that there is no known impact 
from this incident. However, out of an abundance of caution, we are resetting 
all Two-Factor Authentication keys for Phabricator and invalidating the exposed 
login access tokens. Additionally, we continue to encourage people to engage in 
online security best practices, such as keeping your software updated and 
resetting your passwords regularly.

The Foundation will continue to investigate this incident and take steps to 
prevent it from occurring again in the future. In the meantime, Phabricator is 
online and functioning normally. We regret any inconvenience this may have 
caused and will provide updates if we learn of any further impact.


David Sharpe
Senior Information Security Analyst
Wikimedia Foundation

Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to