T3ORG issue FAQ
Why don't we get more information?
As the whole issue will be legally prosecuted, we cannot publish all information we have.
Is the TYPO3 software safe? Did the incident occur because of a bug in TYPO3?
From the results of our investigations so far, we can exclude a software bug in TYPO3 as the cause of the security breach. In fact, the incident did have nothing to do with the TYPO3 software at all.
What did you do after you noticed the incident?
Right after we noticed the incident, we took all necessary technical and organisational measures to protect your private information. In particular we disabled the relevant systems to prevent any further criminal actions and informed you right away. We are taking legal actions against the persons involved in this criminal act and reported the offence to the legal authorities.
What are you improving? Which technical measure will be taken to prevent another incident?
After securing the evidence, our main goal at this point is to improve the security of our website. We are taking all possible technical and organisational measures to reach this goal. We regret that we cannot disclose the details of all measures taken, but we can assure you we are doing our best to minimize the risk of criminal interaction in the future.
What happened exactly?
As far as we could find out, an admin password was stolen and used to find out more passwords on typo3.org. At the moment we cannot disclose more, as we are preparing legal actions against various persons.
At this time (Sa 15 Nov 2008) we have no evidence, that someone hacked typo3.org by using a known or unknown software bug.
Frontend login enabled again, what you should do:
Since all logins have been locked you will need to go to
https://typo3.org/community/your-account/loginlogout/
and make use of the "Forgot your password?" link below the login form. Simply enter your user name and a new password will be generated and sent to the email address in your profile. Feel free to change the password after logging in for the first time afterwards.
I created a new password, but SVN write access does not work. What should I do?
If you are a member of a forge project and SVN write access does not work after you created a new password on typo3.org, make sure you have logged in to the forge website using the single-signon at least once afterwards. This makes sure the needed login data is propagated.
I got an E-Mail, what should I do?
The best would be to follow the instructions we collected for you. We highly recommend to change your password on all websites where you use the same or a similar password.
I'm not sure what password I used for typo3.org. Can you tell it to me again?
We can't. We removed all passwords to be 100% sure that there is no way to catch them.
I have many websites with a password, how should I remember all the passwords?
We recommend using password manager program. There are a couple of existing ones, here is the one we are using ourselves: www.keepass.info
Sun 23 Nov 2008 16:01:23 CET
