Mailing List Archive

14 January 2020 security incident on Phabricator
Hello,

On 14 January 2020, staff at the Wikimedia Foundation discovered that a data file exported from the Wikimedia Phabricator installation, our engineering task and ticket tracking system, had been made publicly available. The file was leaked accidentally; there was no intrusion. We have no evidence that it was ever viewed or accessed. The Foundation's Security team immediately began investigating the incident and removing the related files. The data dump included limited non-public information such as private tickets, login access tokens, and the second factor of the two-factor authentication keys for Phabricator accounts. Passwords and full login information for Phabricator were not affected -- that information is stored in another, unaffected system.

The Security team has investigated and assesses that there is no known impact from this incident. However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens. Additionally, we continue to encourage people to engage in online security best practices, such as keeping your software updated and resetting your passwords regularly.

The Foundation will continue to investigate this incident and take steps to prevent it from occurring again in the future. In the meantime, Phabricator is online and functioning normally. We regret any inconvenience this may have caused and will provide updates if we learn of any further impact.


Respectfully,

David Sharpe
Senior Information Security Analyst
Wikimedia Foundation




_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
Hi David,

Thanks for the information.

Some of us use the same 2FA for Phabricator as for on wiki accounts. Should
the 2FA reset apply to all Wikimedia 2FAs that could be used for
Phabricator, or only those that actually have been used for Phabricator?

Is there a public ticket that people can watch for updates and where public
questions may be asked?

Pine
( https://meta.wikimedia.org/wiki/User:Pine )


On Thu, Jan 16, 2020, 13:25 David Sharpe <dsharpe@wikimedia.org> wrote:

>
>
> Hello,
>
> On 14 January 2020, staff at the Wikimedia Foundation discovered that a
> data file exported from the Wikimedia Phabricator installation, our
> engineering task and ticket tracking system, had been made publicly
> available. The file was leaked accidentally; there was no intrusion. We
> have no evidence that it was ever viewed or accessed. The Foundation's
> Security team immediately began investigating the incident and removing the
> related files. The data dump included limited non-public information such
> as private tickets, login access tokens, and the second factor of the
> two-factor authentication keys for Phabricator accounts. Passwords and
> full login information for Phabricator were not affected -- that
> information is stored in another, unaffected system.
>
> The Security team has investigated and assesses that there is no known
> impact from this incident. However, out of an abundance of caution, we are
> resetting all Two-Factor Authentication keys for Phabricator and
> invalidating the exposed login access tokens. Additionally, we continue to
> encourage people to engage in online security best practices, such as
> keeping your software updated and resetting your passwords regularly.
>
> The Foundation will continue to investigate this incident and take steps
> to prevent it from occurring again in the future. In the meantime,
> Phabricator is online and functioning normally. We regret any inconvenience
> this may have caused and will provide updates if we learn of any further
> impact.
>
>
> Respectfully,
>
> David Sharpe
> Senior Information Security Analyst
> Wikimedia Foundation
>
>
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
On Thu, Jan 16, 2020 at 2:50 PM Pine W <wiki.pine@gmail.com> wrote:

> Some of us use the same 2FA for Phabricator as for on wiki accounts. Should
> the 2FA reset apply to all Wikimedia 2FAs that could be used for
> Phabricator, or only those that actually have been used for Phabricator?
>

Hi Pine,

Phabricator has its own 2fa system that is separate from that of your wiki
account 2fa.

You may be using the same authenticator application on your phone, but
there are separate accounts/codes for your wiki account and for your
Phabricator account.

tl;dr: this only affects your Phabricator 2fa token, no other tokens.

Best,

Greg

--
| Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E |
| Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D |
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
Hi Greg,

The way that I log into Phab is by using
https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging
into MediaWiki and authorizing Phab to access my credentials. The MediaWiki
login including the 2FA is the same that I use for many other Wikimedia
sites.

So, although this 2FA allows logins to Phabricator, it sounds like there is
a separate 2FA for some people for Phabricator access, perhaps for people
with LDAP logins, and that is the 2FA that is affected. Is this correct?

Pine
( https://meta.wikimedia.org/wiki/User:Pine )

On Thu, Jan 16, 2020, 15:18 Greg Grossmeier <greg@wikimedia.org> wrote:

> On Thu, Jan 16, 2020 at 2:50 PM Pine W <wiki.pine@gmail.com> wrote:
>
> > Some of us use the same 2FA for Phabricator as for on wiki accounts.
> Should
> > the 2FA reset apply to all Wikimedia 2FAs that could be used for
> > Phabricator, or only those that actually have been used for Phabricator?
> >
>
> Hi Pine,
>
> Phabricator has its own 2fa system that is separate from that of your wiki
> account 2fa.
>
> You may be using the same authenticator application on your phone, but
> there are separate accounts/codes for your wiki account and for your
> Phabricator account.
>
> tl;dr: this only affects your Phabricator 2fa token, no other tokens.
>
> Best,
>
> Greg
>
> --
> | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E |
> | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D |
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
Keeping this thread on-list to help others who might be unsure.

Hello Pine,

On Thu, Jan 16, 2020 at 4:23 PM Pine W <wiki.pine@gmail.com> wrote:

> The way that I log into Phab is by using
> https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging
> into MediaWiki and authorizing Phab to access my credentials. The MediaWiki
> login including the 2FA is the same that I use for many other Wikimedia
> sites.
>

Correct, you are logging into your MediaWiki account with your 2FA token,
then you are logging into Phabricator via OAuth.

None of those logins nor 2FA tokens were affected by this.


> So, although this 2FA allows logins to Phabricator, it sounds like there is
> a separate 2FA for some people for Phabricator access, perhaps for people
> with LDAP logins, and that is the 2FA that is affected. Is this correct?
>

Correct. Phabricator has its own 2FA system for people to use.

You can see if you use it via your Account Settings, then clicking on
"Multi-Factor Auth". That is the 2FA that is affected in this incident.

Best,

Greg

--
| Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E |
| Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D |
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
Do those of us using Phabricator 2FA need to take any action?

On Fri, Jan 17, 2020 at 7:38 AM Greg Grossmeier <greg@wikimedia.org> wrote:

> Keeping this thread on-list to help others who might be unsure.
>
> Hello Pine,
>
> On Thu, Jan 16, 2020 at 4:23 PM Pine W <wiki.pine@gmail.com> wrote:
>
> > The way that I log into Phab is by using
> > https://phabricator.wikimedia.org/auth/start/?next=%2F, and then logging
> > into MediaWiki and authorizing Phab to access my credentials. The
> MediaWiki
> > login including the 2FA is the same that I use for many other Wikimedia
> > sites.
> >
>
> Correct, you are logging into your MediaWiki account with your 2FA token,
> then you are logging into Phabricator via OAuth.
>
> None of those logins nor 2FA tokens were affected by this.
>
>
> > So, although this 2FA allows logins to Phabricator, it sounds like there
> is
> > a separate 2FA for some people for Phabricator access, perhaps for people
> > with LDAP logins, and that is the 2FA that is affected. Is this correct?
> >
>
> Correct. Phabricator has its own 2FA system for people to use.
>
> You can see if you use it via your Account Settings, then clicking on
> "Multi-Factor Auth". That is the 2FA that is affected in this incident.
>
> Best,
>
> Greg
>
> --
> | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E |
> | Dir. Engineering Productivity A18D 1138 8E47 FAC8 1C7D |
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
Michael Holloway
Software Engineer, Product Infrastructure
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
Hi,

If it is possible to do so, can you notify to the people whose 2FA were reset? I know at least few people who uses 2FA on Phab, and does not read emails from wikitech-l and/or wikimedia-l.

Thanks!

?? iPhone?? ??

> 2020. 1. 17. 06:26, David Sharpe <dsharpe@wikimedia.org> ??:
>
> However, out of an abundance of caution, we are resetting all Two-Factor Authentication keys for Phabricator and invalidating the exposed login access tokens.


_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
Can you also confirm we need to take NO action?

RhinosF1

On Fri, 17 Jan 2020 at 11:02, revi <lists@revi.email> wrote:

> Hi,
>
> If it is possible to do so, can you notify to the people whose 2FA were
> reset? I know at least few people who uses 2FA on Phab, and does not read
> emails from wikitech-l and/or wikimedia-l.
>
> Thanks!
>
> ?? iPhone?? ??
>
> > 2020. 1. 17. 06:26, David Sharpe <dsharpe@wikimedia.org> ??:
> >
> > However, out of an abundance of caution, we are resetting all Two-Factor
> Authentication keys for Phabricator and invalidating the exposed login
> access tokens.
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
There is a team working on the Phabricator 2FA action item right now. More to come soon…

No action is required for people without 2FA configured within Phabricator.



> On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1@gmail.com> wrote:
>
> Can you also confirm we need to take NO action?
>
> RhinosF1
>
> On Fri, 17 Jan 2020 at 11:02, revi <lists@revi.email> wrote:
>
>> Hi,
>>
>> If it is possible to do so, can you notify to the people whose 2FA were
>> reset? I know at least few people who uses 2FA on Phab, and does not read
>> emails from wikitech-l and/or wikimedia-l.
>>
>> Thanks!
>>
>> ?? iPhone?? ??
>>
>>> 2020. 1. 17. 06:26, David Sharpe <dsharpe@wikimedia.org> ??:
>>>
>>> However, out of an abundance of caution, we are resetting all Two-Factor
>> Authentication keys for Phabricator and invalidating the exposed login
>> access tokens.
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
What about those that do?

RhinosF1

On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe@wikimedia.org> wrote:

> There is a team working on the Phabricator 2FA action item right now.
> More to come soon…
>
> No action is required for people without 2FA configured within Phabricator.
>
>
>
> > On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1@gmail.com> wrote:
> >
> > Can you also confirm we need to take NO action?
> >
> > RhinosF1
> >
> > On Fri, 17 Jan 2020 at 11:02, revi <lists@revi.email> wrote:
> >
> >> Hi,
> >>
> >> If it is possible to do so, can you notify to the people whose 2FA were
> >> reset? I know at least few people who uses 2FA on Phab, and does not
> read
> >> emails from wikitech-l and/or wikimedia-l.
> >>
> >> Thanks!
> >>
> >> ?? iPhone?? ??
> >>
> >>> 2020. 1. 17. 06:26, David Sharpe <dsharpe@wikimedia.org> ??:
> >>>
> >>> However, out of an abundance of caution, we are resetting all
> Two-Factor
> >> Authentication keys for Phabricator and invalidating the exposed login
> >> access tokens.
> >>
> >>
> >> _______________________________________________
> >> Wikitech-l mailing list
> >> Wikitech-l@lists.wikimedia.org
> >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > _______________________________________________
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
On Fri, 2020-01-17 at 17:21 +0000, RhinosF1 - wrote:
> What about those that do?

See the last email. It said: "More to come soon…".

andre
--
Andre Klapper (he/him) | Bugwrangler / Developer Advocate
https://blogs.gnome.org/aklapper/


_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
The plan is as follows:

Sometime in the near future, we will be invalidating the sessions of anyone
who has an auth factor which was potentially affected. If you were one of
the potentially affected users then the next time you log in to
Phabricator, you should see a notification directing you to reset your TOTP
auth factor. If you don't see any notice like that then you are not among
those who were potentially affected.

I will post an update here once that is done, in the meantime you don't
need to take any action in particular.

On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - <rhinosf1@gmail.com> wrote:

> What about those that do?
>
> RhinosF1
>
> On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe@wikimedia.org> wrote:
>
> > There is a team working on the Phabricator 2FA action item right now.
> > More to come soon…
> >
> > No action is required for people without 2FA configured within
> Phabricator.
> >
> >
> >
> > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1@gmail.com> wrote:
> > >
> > > Can you also confirm we need to take NO action?
> > >
> > > RhinosF1
> > >
> > > On Fri, 17 Jan 2020 at 11:02, revi <lists@revi.email> wrote:
> > >
> > >> Hi,
> > >>
> > >> If it is possible to do so, can you notify to the people whose 2FA
> were
> > >> reset? I know at least few people who uses 2FA on Phab, and does not
> > read
> > >> emails from wikitech-l and/or wikimedia-l.
> > >>
> > >> Thanks!
> > >>
> > >> ?? iPhone?? ??
> > >>
> > >>> 2020. 1. 17. 06:26, David Sharpe <dsharpe@wikimedia.org> ??:
> > >>>
> > >>> However, out of an abundance of caution, we are resetting all
> > Two-Factor
> > >> Authentication keys for Phabricator and invalidating the exposed login
> > >> access tokens.
> > >>
> > >>
> > >> _______________________________________________
> > >> Wikitech-l mailing list
> > >> Wikitech-l@lists.wikimedia.org
> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > > _______________________________________________
> > > Wikitech-l mailing list
> > > Wikitech-l@lists.wikimedia.org
> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
Thanks for the updates, transparency, and timely notifications.

I hope that I didn't sound like I was trying to be a pest earlier in this
thread. What may have been clear to people who are familiar with
Phabricator 2FA was not clear to me at the time.

Pine
( https://meta.wikimedia.org/wiki/User:Pine )
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
That conversation helped provide more clarity. Thank you for taking the time to respond!



> On Jan 20, 2020, at 11:30 PM, Pine W <wiki.pine@gmail.com> wrote:
>
> Thanks for the updates, transparency, and timely notifications.
>
> I hope that I didn't sound like I was trying to be a pest earlier in this
> thread. What may have been clear to people who are familiar with
> Phabricator 2FA was not clear to me at the time.
>
> Pine
> ( https://meta.wikimedia.org/wiki/User:Pine )
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
The update was deployed last night just a bit after midnight UTC. Upon
logging in, anyone with an affected auth factor should see a notification
with instructions for how to proceed.

For the curious, you can see screenshots of the notification which I
attached to the task for this change, T243247 [1].

[1]. https://phabricator.wikimedia.org/T243247

On Mon, Jan 20, 2020 at 8:17 PM Mukunda Modell <mmodell@wikimedia.org>
wrote:

> The plan is as follows:
>
> Sometime in the near future, we will be invalidating the sessions of
> anyone who has an auth factor which was potentially affected. If you were
> one of the potentially affected users then the next time you log in to
> Phabricator, you should see a notification directing you to reset your TOTP
> auth factor. If you don't see any notice like that then you are not among
> those who were potentially affected.
>
> I will post an update here once that is done, in the meantime you don't
> need to take any action in particular.
>
> On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - <rhinosf1@gmail.com> wrote:
>
>> What about those that do?
>>
>> RhinosF1
>>
>> On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe@wikimedia.org> wrote:
>>
>> > There is a team working on the Phabricator 2FA action item right now.
>> > More to come soon…
>> >
>> > No action is required for people without 2FA configured within
>> Phabricator.
>> >
>> >
>> >
>> > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1@gmail.com> wrote:
>> > >
>> > > Can you also confirm we need to take NO action?
>> > >
>> > > RhinosF1
>> > >
>> > > On Fri, 17 Jan 2020 at 11:02, revi <lists@revi.email> wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >> If it is possible to do so, can you notify to the people whose 2FA
>> were
>> > >> reset? I know at least few people who uses 2FA on Phab, and does not
>> > read
>> > >> emails from wikitech-l and/or wikimedia-l.
>> > >>
>> > >> Thanks!
>> > >>
>> > >> ?? iPhone?? ??
>> > >>
>> > >>> 2020. 1. 17. 06:26, David Sharpe <dsharpe@wikimedia.org> ??:
>> > >>>
>> > >>> However, out of an abundance of caution, we are resetting all
>> > Two-Factor
>> > >> Authentication keys for Phabricator and invalidating the exposed
>> login
>> > >> access tokens.
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> Wikitech-l mailing list
>> > >> Wikitech-l@lists.wikimedia.org
>> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>> > > _______________________________________________
>> > > Wikitech-l mailing list
>> > > Wikitech-l@lists.wikimedia.org
>> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>> >
>> >
>> > _______________________________________________
>> > Wikitech-l mailing list
>> > Wikitech-l@lists.wikimedia.org
>> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: 14 January 2020 security incident on Phabricator [ In reply to ]
The spelling of ‘August’ is wrong in the second image on
https://phabricator.wikimedia.org/T243247. Looks fine in the code though so
not sure if fixed.

RhinosF1

On Thu, 23 Jan 2020 at 16:55, Mukunda Modell <mmodell@wikimedia.org> wrote:

> The update was deployed last night just a bit after midnight UTC. Upon
> logging in, anyone with an affected auth factor should see a notification
> with instructions for how to proceed.
>
> For the curious, you can see screenshots of the notification which I
> attached to the task for this change, T243247 [1].
>
> [1]. https://phabricator.wikimedia.org/T243247
>
> On Mon, Jan 20, 2020 at 8:17 PM Mukunda Modell <mmodell@wikimedia.org>
> wrote:
>
> > The plan is as follows:
> >
> > Sometime in the near future, we will be invalidating the sessions of
> > anyone who has an auth factor which was potentially affected. If you were
> > one of the potentially affected users then the next time you log in to
> > Phabricator, you should see a notification directing you to reset your
> TOTP
> > auth factor. If you don't see any notice like that then you are not among
> > those who were potentially affected.
> >
> > I will post an update here once that is done, in the meantime you don't
> > need to take any action in particular.
> >
> > On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 - <rhinosf1@gmail.com> wrote:
> >
> >> What about those that do?
> >>
> >> RhinosF1
> >>
> >> On Fri, 17 Jan 2020 at 15:51, David Sharpe <dsharpe@wikimedia.org>
> wrote:
> >>
> >> > There is a team working on the Phabricator 2FA action item right now.
> >> > More to come soon…
> >> >
> >> > No action is required for people without 2FA configured within
> >> Phabricator.
> >> >
> >> >
> >> >
> >> > > On Jan 17, 2020, at 10:25 AM, RhinosF1 - <rhinosf1@gmail.com>
> wrote:
> >> > >
> >> > > Can you also confirm we need to take NO action?
> >> > >
> >> > > RhinosF1
> >> > >
> >> > > On Fri, 17 Jan 2020 at 11:02, revi <lists@revi.email> wrote:
> >> > >
> >> > >> Hi,
> >> > >>
> >> > >> If it is possible to do so, can you notify to the people whose 2FA
> >> were
> >> > >> reset? I know at least few people who uses 2FA on Phab, and does
> not
> >> > read
> >> > >> emails from wikitech-l and/or wikimedia-l.
> >> > >>
> >> > >> Thanks!
> >> > >>
> >> > >> ?? iPhone?? ??
> >> > >>
> >> > >>> 2020. 1. 17. 06:26, David Sharpe <dsharpe@wikimedia.org> ??:
> >> > >>>
> >> > >>> However, out of an abundance of caution, we are resetting all
> >> > Two-Factor
> >> > >> Authentication keys for Phabricator and invalidating the exposed
> >> login
> >> > >> access tokens.
> >> > >>
> >> > >>
> >> > >> _______________________________________________
> >> > >> Wikitech-l mailing list
> >> > >> Wikitech-l@lists.wikimedia.org
> >> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >> > > _______________________________________________
> >> > > Wikitech-l mailing list
> >> > > Wikitech-l@lists.wikimedia.org
> >> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >> >
> >> >
> >> > _______________________________________________
> >> > Wikitech-l mailing list
> >> > Wikitech-l@lists.wikimedia.org
> >> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >> _______________________________________________
> >> Wikitech-l mailing list
> >> Wikitech-l@lists.wikimedia.org
> >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> >
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l