The following is a statement prepared by Lewis Cawte
During December 2016, a security issue was identified by Jack Phoenix. Brickimedia's database backups were being provided at a publicly accessible web address. This included the global, shared database which includes the user table where user details and passwords are stored.
Jack and I corrected the cause of this issue when it was discovered, and today we have taken the final remaining steps to help eliminate any further threat posed by this leak.
While we have no reason to believe this leak was used, or any data stolen or downloaded, we cannot be sure, and as such we have taken the following precautions:
- Reset user tokens resulting in sessions becoming invalid to log users out.
- Reset and cleared various caches and keys to further invalidate sessions and reduce the chances they can be abused.
- Forced a password reset for all users on their next login.
We strongly advise all users to change their passwords on other sites if they use the same password. While we do not expect any passwords have been compromised, it is possible that they could be cracked in the future if a copy of this table was taken. In general, it is good practice to use a unique password for every site and account you have. Furthermore, while the passwords are salted, other user details in this table, such as real name and email address fields are not encrypted.
Please direct any questions you may have regarding this matter to the talk page, or for private matters, please email me at lcawte @ shoutwiki.com. Please note that I cannot speculate on who caused this issue, as I have not been active in the Brickimedia Sysadmin team for a long time due to disagreements with various people involved with the running of the site.