A user was able to gain access to our LDAP database and has published the email addresses and names, as well as apparent password hashes, of anyone who has signed up to identity.mageia.org. However, the published hashes do not match those on record, and all capitalisation has been removed, so it is not clear that the actual passwords have been compromised. All of the passwords have since been reset as a security precaution. New rules have been added to prevent access to the LDAP server. The sysadmins are investigating how the fields were read, as the configuration should have specifically prevented this.

The passwords stored by the Mageia LDAP server are hashed and salted, meaning that the full decryption of the password, if they have actually been leaked, into a human-usable format would require significant computing power for safe and complex passwords. Despite the leaked data only appearing to be names and email addresses of identity.mageia.org users, we strongly urge users to be cautious if the password used for their Mageia account is used elsewhere, and we recommend changing passwords wherever else it is used.

To regain access to your Mageia account, the reset password link should be sufficient for all users without git access.The reset password link can be obtained by asking for a password reset on https://identity.mageia.org/forgot_password after which you’ll receive a mail with the link.

For privileged users, a sysadmin should be contacted to regain access.

We sincerely apologise for any problems and inconvenience that this might cause.