As part of improving its infrastructure, W3C arranged an extensive penetration test by the security consulting firm Cure53. They found several different types of vulnerabilities including SQL Injection (SQLi). The W3C Systems Team determined these were used to gain unauthorized access to its user database and to harvest encrypted passwords. Since there is potential (with enough time and computational power) for an attacker to use these credentials, we are requiring our entire community to reset their passwords.

The W3C Systems Team has since conducted thorough code audits to remove these vulnerabilities, decommissioned unused services, and undertaken other measures to increase system security.

This is our first public statement about the incident. We have already required the W3C staff, Group Chairs, and the W3C Advisory Committee to change their passwords. These accounts have greater capabilities within the system and we wanted to secure them prior to a public announcement.

Anyone with a W3C account must now reset their password. Those that do not remember their password may use the recovery system.

If you have general questions, please write to site-comments@w3.org.