On Wednesday morning we became aware of a misconfiguration of an exception handler for the Hosted Chef Management Console that caused username and password information for a small subset of our users to be leaked via email internally at Chef. We have fixed the issue that was at the source of the exposure, and we have contacted each of the accounts that have been exposed to this issue privately. We nevertheless recommend that all users change their Hosted Chef password.
As a precaution, we strongly recommend that you change the password of your Hosted Chef account as well as other accounts where this password is used.
To change your password, log in to www.getchef.com/account and navigate to the Password and Key section. If you do not remember your password, you can reset it by visiting www.getchef.com/account/password. We recommend you do the same on other sites where you use this password.
As part of this incident, we have also released Enterprise Chef 11.1.2 and 1.4.8. If you have deployed Enterprise Chef in your infrastructure, we strongly recommend that you upgrade to the latest available release for the version that you are running.
We’re very sorry that this happened. We take security seriously at Chef, and the safekeeping of your sensitive information is our top priority. Please let us know if you have any questions, comments, or concerns. You can reach us at any time firstname.lastname@example.org.
Stephen Delano, Lead Developer – Chef Server