Passwords snooped on during break-in to TYPO3.org web server
The operators of the TYPO3.org web site report that attackers have managed to gain unauthorised access to the server and steal the passwords of registered users. Attempts by the thieves to use the stolen passwords to access other web sites are already being reported. Users who use the same passwords on other pages as on TYPO3.org are being urged to change them.
All members of the TYPO3 Project have apparently been contacted:
"The offender had access to website user details including their passwords, and there have been reports of this data being used to access other websites. It also has to be expected that the data may have been disclosed to third parties.
Important! IF YOU HAVE USED THE SAME PASSWORD ON ANY OTHER SITE, PLEASE CHANGE IT IMMEDIATELY!"
The notification says the login system for TYPO3.org has been disabled and a new password will be required. The login function is being improved to prevent any unauthorised access to the community area. Further questions are being dealt with in an FAQ. Currently the FAQ only advises that users change their passwords on other systems where they may have used the same password and to use a password manager to keep track of those different passwords.
The identity of the attacker is said to be known, but no details of the break-in have yet been published. Also undisclosed so far is whether the passwords were held in plain text or as MD5 hashes on the TYPO3 web site.