SourceForge, a giant in aiding open source software and bringing developers together, has been the target of an attack regarding their login system. The attack hit multiple areas of the site, and even after taking several precautions, SourceForge decided it would be best to simply do a global password reset.
SourceForge was quick to write up a full report of the incident on their blog, and also get the word out to their users via email. The open-source host believes it has stopped and removed the attack before it got too far. Server logs reveal that an SSH daemon had been modified to begin password-sniffing. It is unlikely that any developer passwords were compromised, but just to be safe instead of sorry they did a global password reset, explained in the email below:
We recently experienced a directed attack on SourceForge infrastructure (https://sourceforge.net/blog/sourceforge-net-attack) and so we are resetting all passwords in the sf.net database – just in case. We're emailing all sf.net registered account holders to let you know about this change to your account.
Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised. But, what we definitely don't want is to find out in two months that passwords were compromised and we didn't take action.
So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password.
The source of the attack is not known and the same with what exactly the reasons behind it were, other than potentially allowing a hacker to upload malicious versions of open source software. SourceForge is in the process of checking updates and locking down servers to prevent any unwanted surprises or another attack in the future.
Currently, they are working on data validation comparing pre-attack backups to files appearing on the site. Services will be brought back one by one and only when safety measures and data checks are in place to prevent unauthorized actions against developers.