Hi Grant, It is that user, who is assigned to the very early JIRA issues, e.g.: https://issues.apache.org/jira/browse/LUCENE-1
I changed the password of this user in response to that email (for security), but I think we should simply let infra remove it. The problem is, almost anybody can instruct JIRA to reset the password and let JIRA send it again to the "email" which is the public java-dev list. And then it is public again. Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de > -----Original Message----- > From: Grant Ingersoll [mailto:gsi...@gmail.com] On Behalf Of Grant > Ingersoll > Sent: Wednesday, April 14, 2010 1:50 AM > To: java-dev@lucene.apache.org > Subject: Re: issues.apache.org compromised: please update your > passwords > > FYI, this is for real. Some have asked me if it is made up. I don't > know who owns that user, so we should ask on infra, I suspect. Also, > this applies to all user accounts too on JIRA. > > On Apr 13, 2010, at 12:25 PM, r...@apache.org wrote: > > > Dear Lucene Developers, > > > > You are receiving this email because you have a login, 'java- > d...@lucene.apache.org', on the Apache JIRA installation, > https://issues.apache.org/jira/ > > > > On April 6 the issues.apache.org server was hacked. The attackers > were able to install a trojan JIRA login screen and later get full root > access: > > > > https://blogs.apache.org/infra/entry/apache_org_04_09_2010 > > > > We are assuming that the attackers have a copy of the JIRA database, > which includes a hash (SHA-512 unsalted) of the password > > you set when signing up as 'java-dev@lucene.apache.org' to JIRA. If > the password you set was not of great quality (eg. based on a > dictionary word), it > > should be assumed that the attackers can guess your password from the > password hash via brute force. > > > > The upshot is that someone malicious may know both your email address > and a password of yours. > > > > This is a problem because many people reuse passwords across online > services. If you reuse passwords across systems, we urge you to change > > your passwords on ALL SYSTEMS that might be using the compromised > JIRA password. Prime examples might be gmail or hotmail accounts, > online > > banking sites, or sites known to be related to your email's domain, > lucene.apache.org. > > > > Naturally we would also like you to reset your JIRA password. That > can be done at: > > > > > https://issues.apache.org/jira/secure/ForgotPassword!default.jspa?usern > ame=java-...@lucene.apache.org > > > > We (the Apache JIRA administrators) sincerely apologize for this > security breach. If you have any questions, please let us know by > email. > > We are also available on the #asfinfra IRC channel on > irc.freenode.net. > > > > > > Regards, > > > > The Apache Infrastructure Team > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org > > For additional commands, e-mail: java-dev-h...@lucene.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org > For additional commands, e-mail: java-dev-h...@lucene.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org For additional commands, e-mail: java-dev-h...@lucene.apache.org
