I’ve just got an email from typo3.org (where i have an account) informing me that their site was hacked and the users/passwords were stolen. So i should change my passwords on other sites if they are there too.
Here is a fragment from the email:
We have to inform you that an unauthorized person has gained administrative
access to the TYPO3.org website.
The offender had access to website user details including their passwords, and
there have been reports of this data being used to access other websites.
It also has to be expected that the data may have been disclosed to third
IF YOU HAVE USED THE SAME PASSWORD ON ANY OTHER SITE, PLEASE CHANGE IT
We have set up an FAQ page at http://typo3.org/about/faq/t3org-issue/
The page may be updated with new questions from time to time, so make sure to
check back before replying to this mail.
How stupid should someone be to store passwords in plain text ? Because i must suppose that they were stored in plain text. Sincerely i expected more from the typo3 guys. No matter how secure you think your application is you must always store passwords encrypted with some algorithm. Because if someone gains access to the database (it could be a hacker, it could be a former employee and so on) it will have much less to gain from that database.
This way typo3.org compromised probably hundreds if not thousands of people’s accounts on other sites. Sure it would be ideal to have a unique password for each site but as practice shows many people use same password everywhere or at least in many places.