18 Apr
2017
18 Apr
'17
4:39 p.m.
Hi
i find it a little bit odd that you restored the system without
disabling all the current password in the mantis system. If the
attacker might have the user passwords as you suggested this would
result in a user-level access for them at the moment. Which might make a
second hack more easy.
Might it not be a good idea to reset all the user passwords? This would
mean that all users would have to insert a new one on first reconnect
using there email to verify user right to access. (does mantis offer
this?)
PS: Thx for the info warning! not every website does it when they get
hacked;)
Carl Hetherington via DCPomatic writes:
It has transpired that around noon GMT on 16th April
the DCP-o-matic project in
our bug database was deleted by actors unknown. It appears that they gained
administrator rights in our installation of the Mantis bug tracker.
If you have a Mantis account and you use the same password on any other sites
you are strongly advised to change this password everywhere it is used.
At the moment I don't think anything else on dcpomatic.com was compromised.
The bug tracker has been restored from a backup and I don't think much has been
lost. If you added a bug or comment since 16th April you will need to re-add
it.
Apologies for any inconvenience.
Kind regards,
Carl
_______________________________________________
DCPomatic mailing list
DCPomatic(a)carlh.net
http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic
--
Markus Kalb
Filmkreis an der TU Darmstadt