Perl PAUSE accounts also possibly compromisedThe recent Zero for 0wned (ZF0) e-zine, which revealed hacks against multiple websites, disclosed the plain text passwords of some 580 high-ranking PerlMonks users and claimed that its authors had the complete user database. The Perl programmers frequenting PerlMonks also have accounts on the official [Perl programming] Authors Upload Server (PAUSE) and, according to ZF0, many of them reuse passwords.
During the evening of July 28, a text document called ZF05.txt was published online. The file described recent successful attacks against servers hosting the websites of renowned security experts, companies, as well as programming and hacking communities. Amongst them was PerlMonks, a highly popular Perl forum, coordinated by the Perl Foundation.
"Some time on May 20, 2009, an unused (but still on line) perlmonks server was hacked, and its root password obtained by unknown individuals. The hacker(s) dumped contents from the perlmonks user database on that machine, data which is estimated to be current as of approximately September 2008," an official PerlMonks announcement reads. A later note estimates the accuracy of the information in the compromised database to as recent as mid-April.
The ZF05 document contained information, including the passwords, emails and real names of 580 PerlMonks janitors (website cleaners) and Saints (admins and moderators), including Tim Vroom, its founder. After being notified of the leak, the administrators notified the owners of the exposed accounts and forced a reset of all their passwords.
There's a bit of controversy going on as to why the passwords were stored in plain text in the first place, with some arguing that it was because of the very large user base. Password hashing was apparently on the TODO list for the future, but that has become a priority now.
There is yet no detailed information about the vulnerability that was exploited and whether it has been patched or not. It is only mentioned that the site's admins are currently working with the hosting provider to strengthen the security of the servers.
Some have expressed concerns that many of the high-ranking PerlMonks members also have accounts on the official PAUSE repository, which might be sharing the same password. In such cases, the integrity of the code hosted there might have been compromised. "In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?" the hackers write in ZF05.
"If you used your PerlMonks password on any other service (other sites, email, etc.), you should change those other passwords now — and […] do NOT reuse passwords! Ever!" the PerlMonks administration stresses.