The W3C (World Wide Web Consortium) recently contracted Cure53, a security auditing firm, to perform penetration tests on their systems. They uncovered systemic vulnerabilities and SQL Injections that the W3C Security Team was able to trace back to unauthorized access.

This unauthorized access appears to have exposed encrypted passwords. As a result, W3C has decided to invalidate all passwords and force a password reset for all users of their systems. They also have taken steps to fix the vulnerabilities.

More organizations should take pro-active discovery and investigative action like this - the sooner the better. Knowing how your organization's systems weather an actual attack is far more blissful than ignorance.

(Sidenote: If no penetration had been discovered, I would have rated this a "Level Zero Event" to indicate that the security audit should be an expected occurrence when running servers.)

Related Links

• W3C Password Reset