SourceForge Resets All Passwords Following Security Breach

SourceForge, the world's largest open source software repository, has reset the password for all of its users following a successful attack against its infrastructure.

The SourceForge team discovered the security breach on Thursday when exploits were found uploaded on several servers.

A preliminary investigation revealed the attack originated on the CVS hosting server, but the actual attack vector has not been identified yet.

As a result of the incident, some functionality was immediately suspended, including CVS hosting, web-based source code browsing (ViewVC), the capability to upload new releases and the Interactive Shell services.

A subsequent update posted on the site's official blog did not reveal any more information except that the team now better understands what happened and how it can prevent it in the future.

A few hours ago an email went out to all users informing them that their passwords have been reset as a precaution.

"Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised.

But, what we definitely don't want is to find out in 2 months that passwords were compromised and we didn't take action," the SourceForge team wrote.

People will have to go through the email-based password recovery process in order to set a new password. Users who no longer have access to the email address on record or who don't remember the answer to their security question, can use an alternative form.

Meanwhile, work continues to determine the full extent of the compromise, restore data from backups and validate the security of disabled services before bringing them back online.

SourceForge is operated by Geeknet, the company that also owns and runs Slashdot, freshmeat and ThinkGeek.