Chef Blogs

Security Breach: User information for tickets.opscode.com and wiki.opscode.com compromised.

Steven Danna | Posted on

What Happened?

A vulnerability in the third-party software that runs our Open Source Chef wiki and ticketing system was exploited to gain access to that particular system. While on this system, the attacker gained escalated privileges and downloaded the user database for the wiki and ticketing system.

What information was exposed?

The user database that was accessed contained usernames, email addresses, full names, and hashed passwords. We believe these passwords are adequately secure (the software in question uses the PBKDF2 algorithm), but we will be forcing a password change on the ticketing and wiki systems. If you use this password on other systems, we suggest choosing a new password on those systems as well. We will also contact the affected users via email today.

Were any of my personal tickets accessed?  What about my Hosted Chef data?

We are still investigating this breach; however, there is currently no evidence that any other systems were impacted or that  other data was compromised.

Does this affect my Hosted Chef accounts?

This does not directly impact your Hosted Chef data or accounts. If you use the same username and password, it is recommended that you change this.

How did you catch the breach?

Our security monitoring alerted us to the unauthorized access. Upon investigation, we confirmed the unauthorized activity and immediately took steps to terminate the unauthorized access, isolate the affected systems, and secure forensic data.

What has been done to prevent this type of unauthorized access?

We are working with our third party software providers to identify the vulnerability and apply the appropriate patches to the systems.

We will provide additional details as they become available.  We’re very sorry about this incident. We take security seriously and are addressing the incident as our top priority.

If you have any questions please contact Opscode at security@opscode.com.