in reply to It's Time for Everyone to Change Passwords!

It is likely that some people used the same password/login combination in other Perl related forums (i.e. use.perl, CPAN, rt, etc.).

As the list of passwords seems to be publicly available now, would it make sense to also check the user accounts on this sites and take the required measures to disable the ones found to be compromised?

At least, can we make a list of Perl relates sites users should check just in case they reused the Perlmonks password there?

  • Comment on Re: It's Time for Everyone to Change Passwords!

Replies are listed 'Best First'.
Re^2: It's Time for Everyone to Change Passwords!
by m0ve (Scribe) on Jul 29, 2009 at 12:19 UTC
    the site is 404 now and i found only one public mirror so far.
    however the hack is a few months old already : Fri Apr 15 13:34:52 2005
    btw interesting new user : 784161

    update: while the date was wrong (can't believe i misread this) the hack is still a few months old
[reply]
[d/l]
      that particular output of uname is the kernel version, IE when it was compiled. uname doesn't output the current date.
[reply]

      Please note: The April 15, 2005 date is the output of a uname command. The list of saints includes users who did not exist in 2005 and/or people who were only added to the Saints list at the end of April, 2009. This is a recent hack.

      Best, beth

[reply]
[d/l]
      however the hack ia few month old already : Fri Apr 15

      I'm guessing, but from comments in the CB I've gathered that the server that was hacked was an old machine, which is still up but no longer in active use. So the hack might very well be more recent, with only older information being disclosed.


      All dogma is stupid.
[reply]
[d/l]
        the info might be old but i guess most people don't change their passwords every few months so most of those passwords might be working.
[reply]
      It's still out there, now mirrored in several places (not by me, but others). Since PerlMonks is still up and running, some must think there's no risks remaining. In the interest of full disclosure here's the *TEXT ONLY* of the posting:
      There is a really simple reason we owned PerlMonks: we couldn't resist more than 50,000 unencrypted programmer passwords.

      That's right, unhashed. Just sitting in the database. From which they save convenient backups for us.

      Believe it or not, there is actually debate at perlmonks about whether or not this is a good idea. Let's just settle the argument right now and say it was an idea that children with mental disabilities would be smart enough to scoff at. We considered patching this for you but we were just too busy and lazy. I'm sure you can figure it out yourselves.

      This isn't a bad set of passwords, either. Programmers have access to interesting things. These Perl guys are alright, just a little dumb apparently. A lot of them reuse. You can explore them yourselves, I really do not want to point out anyone in particular.

      ...

      In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?

      Not worth our time ;)

[reply]

In Section Perl Monks Discussion