Thursday, February 03, 2011

SourceForge Attacked

Received these two emails:

On Jan 28 2011:

We recently experienced a directed attack on SourceForge infrastructure ( and so we are resetting all passwords in the database -- just in case. We're e-mailing all registered account holders to let you know about this change to your account.

Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised. But, what we definitely don't want is to find out in 2 months that passwords were compromised and we didn't take action.

So, as a proactive measure we've invalidated your account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password:

If you need help with this, feel free to e-mail us:

We appreciate your patience with us as we work to respond to this attack. We'll be working through the weekend to get things back to normal as quickly as possible.

Watch for updates on the service outages on our blog:

Thank you,

The SourceForge Team

And Feb 1 2011:


Please review this notice and contact us at with any concerns.

There was recently an attack on SourceForge systems as detailed here:

As a SourceForge user, you should already have received notice of our password reset event, also noted on the login page.

As part of our response we examined account risks. User SSH key data may have been exposed during this incident. This is generally of limited concern since users post only the public key portion of their key pair.

In reviewing the SSH key data you uploaded for your account, we found one or more rows of data that did not appear to be a SSH public key. This could be junk text, private key data, or other data we can't programmatically identify.

As a precautionary measure have taken the step of clearing the SSH key data we have on file for your account. Please generate a new SSH key, login to and upload a new public key. Instructions on SSH key generation may be found in our site docs at:

If you have concerns or require assistance in generating/uploading a new SSH public key, please contact us at

Thank you, staff

And now the interesting bits from the full report:

Password invalidation

Our analysis uncovered (among other things) a hacked SSH daemon, which was modified to do password capture. We don’t have reason to the attacker was successful in collecting passwords. But, the presence of this daemon and server level access to one-way hashed, and encrypted, password data led us to take the precautionary measure of invalidating all SourceForge user account passwords. Users have been asked to recover account access by email.

No comments: