看到 Hacker News 的新聞「PHP Site’s User Database Was Hacked In Recent Source Code Backdoor Attack」:
While this was initially treated as a compromise of the git.php.net server, further investigation into the incident has revealed that the commits were a result of pushing them using HTTPS and password-based authentication, leading them to suspect a possible leak of the master.php.net user database.
從伺服器的記錄猜測,攻擊者是透過 HTTP authentication 的方式,在 git repository 偷偷藏入 backdoor。若猜測是正確的,表示攻擊者可能已經取得 master.php.net 的使用者資料庫。另外也提到網站運作的環境太老舊,攻擊者也可能已經找到軟體上的弱點並透過這些弱點來設計攻擊。
官方已將網站改用 TLS 1.2,並將密碼儲存方式從 MD5 更新為 bcrypt 雜湊。比較好奇如果沒有保留密碼,要怎麼從 MD5 更新為 bcrypt?Hash 二次嗎? XD