Jump to content



Photo

MusicBrainz hacked?


  • Please log in to reply
2 replies to this topic

#1 Nothing Here

Nothing Here

    Neowinian Senior

  • 2,164 posts
  • Joined: 23-February 08
  • Location: California, U.S.A.
  • OS: Windows 8 Pro / Kororaa 17

Posted 17 April 2013 - 14:13

I am a member and I got a strange email from them today. Was wondering if anyone else got the "Mandatory" password chane email? I haven't clicked the link in it, but if it's real, I will go directly to the site and change it.

Here is the email, slightly altered to remove my username:


Dear XXXXXXX,

On March 29th 2013 we discovered that one of the MusicBrainz database dumps
contained password hashes for a large portion of MusicBrainz accounts. While we
don't believe that these password hashes are either useful or widely
distributed, we are requiring all users change their passwords.

The database dumps that contain this data were promptly deleted, and have been
replaced with correctly sanitized database dumps. Unfortunately logs from this
server do show that this database dump was downloaded, and as we have no real
indication of where this data now is, we're treating this seriously. We have
adjusted our database dumping scripts to be very specific about exactly which
data they should export, so that in the future we will not leak private data by
making the same mistake again.

We're extremely sorry about this mistake, and while we don't believe this data
should allow attackers to retrieve user passwords, we can't be 100% certain. As
such, we require that all users change their password as soon as possible.

The next time you login to the website, you will be requested to change your
password. Alternatively, you can go to the following link:

https://musicbrainz....ory=1&username=

Users should also note that access to authenticated web service calls, for
example to manage tags and ratings via Picard, are also blocked until passwords
are changed. If you are finding that software that uses MusicBrainz is not
behaving as youd expect, please check that you can login via the website.

For more details, please see the blog post:

http://blog.musicbrainz.org/?p=1844

We're extremely sorry this happened, and thank you for your co-operation.

- The MusicBrainz Team


#2 Nick H.

Nick H.

    Neowinian Senior

  • 11,489 posts
  • Joined: 28-June 04
  • Location: Switzerland

Posted 17 April 2013 - 14:15

If you like and trust the site, then play it safe and change the password anyway (going directly to the site rather than using the link in the email, as you correctly pointed out).

#3 OP Nothing Here

Nothing Here

    Neowinian Senior

  • 2,164 posts
  • Joined: 23-February 08
  • Location: California, U.S.A.
  • OS: Windows 8 Pro / Kororaa 17

Posted 17 April 2013 - 14:18

Ok, upon going directly there, I put my pass in and it then it wanted me to put in my old pass then a new one. So I guess it's legit.