Hello,
On 14 January 2020, staff at the Wikimedia Foundation discovered that a data file exported
from the Wikimedia Phabricator installation, our engineering task and ticket tracking
system, had been made publicly available. The file was leaked accidentally; there was no
intrusion. We have no evidence that it was ever viewed or accessed. The Foundation's
Security team immediately began investigating the incident and removing the related files.
The data dump included limited non-public information such as private tickets, login
access tokens, and the second factor of the two-factor authentication keys for Phabricator
accounts. Passwords and full login information for Phabricator were not affected -- that
information is stored in another, unaffected system.
The Security team has investigated and assesses that there is no known impact from this
incident. However, out of an abundance of caution, we are resetting all Two-Factor
Authentication keys for Phabricator and invalidating the exposed login access tokens.
Additionally, we continue to encourage people to engage in online security best practices,
such as keeping your software updated and resetting your passwords regularly.
The Foundation will continue to investigate this incident and take steps to prevent it
from occurring again in the future. In the meantime, Phabricator is online and functioning
normally. We regret any inconvenience this may have caused and will provide updates if we
learn of any further impact.
Respectfully,
David Sharpe
Senior Information Security Analyst
Wikimedia Foundation
Show replies by date