In the wee hours of this morning, Thursday, October 3rd, over 35,000 users of Wikipedia's sister projects received a startling e-mail from the Wikimedia Foundation, telling them that their private user information inadvertently had been made available to as many as 228 users who were not authorized to see that info. The data vulnerability included e-mail addresses, password hashes, and session tokens. With a password hash, hackers could attempt "brute force" cracking of the actual passwords, so all of the affected users were told to reset their wiki passwords and warned that if they use a common password across other sites (like Ebay, Facebook, or Gmail), then their passwords on those sites should be changed, too.
The security flaw, according to Erik Moeller, VP of Engineering & Product Development for the Wikimedia Foundation (WMF), was caused by an "implementation error" in a file made available to any volunteer at LabsDB. There were 228 such volunteers and WMF staff members who were granted access to the LabsDB file of 37,000 wiki users. Were these 228 users with access to tens of thousands of password hashes trustworthy? Nobody knows -- according to WMF contractor developer "Krinkle", access to the file wasn't vetted, as "anyone can sign up for an account and start developing software".
The breach was discovered and reported by a volunteer that the WMF says is "trusted", but the Foundation did not respond to Examiner's question of how the volunteer's trustworthiness was established. (Editor's note: Subsequent analysis at Wikipediocracy.com found that the volunteer who reported the breach was likely Maarten Dammers.) The personal data was available to anyone with access to LabsDB from May 29 until October 1, 2013. Fortunately, the direct passwords were not available with the e-mail addresses. Only password "hashes" were exposed, which is a way of saying that the password text was encrypted. But there are software tools that allow for repeated testing of various word, letter, number, and symbol combinations, such that if a particular combination matches the hash code, you've successfully discovered the password itself.
When LabsDB was rolled out, the folks at Wikimedia Foundation were touting it with pride. They trumpeted, "Sharing resources mean MOAR POWAR!!", and they promised "anonymized logs". There were only five "rules" presented to the users of the database, two of which were the now ironic "Private information needs to be handled carefully, if at all" and the rather juvenile "Don't be a dick". But with this security nightmare, the WMF has changed its tune to "We regret this mistake."
It hasn't been a good month for Wikimedia developers, who just weeks ago had to admit defeat and recall a terribly broken "VisualEditor" that the Wikipedia community reviled.
