I have found out what happened with the new password system and I’m not sure how to say this without seriously losing face, but;
It IS a system glitch that caused the problem.
In a rather obscure chain of events that took place last night, I can confirm that exactly 1000 users (though that is a coincidence) were emailed new passwords, three times, as a result of a failure of our code to check what now appears to be an obvious data input error…
The scenario is thus;
On the screen which you are supplied with if you cannot login to the system, is a text input box, and a button. If you merely click the button, WITHOUT entering a valid email address the system will reset the passwords of ANYONE and EVERYONE who has NOT set either their private email, or their public email. Users who have not set their private email will receive NO notification of the change, because the system cannot send it to you, since your email address is invalid. However, users who have a private email address, and a blank public email address (a perfectly acceptable and indeed for some people’s peace of mind, to remain anonymous to their readers, a required situation) will have received notification that their password has changed.
The bottom line is this;
- There was NO hack attempt. There were exactly 11 accesses to the new password script before midnight last night (three in short succession), and 26 between midnight and the time Matt disabled the change password system. That is not indicative of a hack attempt.
- NO data has been lost – though the inconvenience is perhaps incalculable.
- There was no likelihood of your accounts being compromised – the person who made the mistake on the change password form will NOT have received your new passwords, because there is no way to send them to him/her
- Abovementioned person almost certainly did NOT do this deliberately. Indeed, to do so he would have to have read our code and realised the bug. (Something I realised as soon as I saw it).
All in all this is just rather an embarrassing wake up call for us that we must NEVER take the security of the system for granted, but fortunately this time, the cause was most definitely benign.
If you have any questions, please direct them to me (firstname.lastname@example.org) directly, as Matt hasn’t been involved in this particular investigation and you’re not likely to get a quick answer from him this weekend anyway. Alternatively, and always preferred, please use email@example.com.
AtomIC Systems IP Ltd wishes to apologise to the 1000 or so users who have been inadvertantly troubled by this situation. We do take your privacy and the containment and security of your data seriously (and we thank (F-Secure Corporation for their generous sponsorship some time ago, which we still use) and you can see our committment to your privacy at http://www.deardiary.org/privacy.shtml
Again, our sincere apologies to all who were worried by the mass mailing of new passwords.