1 post • joined 29 Apr 2010
Just to clear up some misconceptions...
1. Last week, due to some temporary debug code that was promptly removed, we discovered that some splunk.com users’ passwords inadvertently appeared in our internal web server logs.
2. No one’s password was accessible from the internet or the splunk.com web site, and we took immediate steps to purge the confidential information from our internal system logs.
3. Our internal IT team that monitors the Splunk.com site logs are the only employees who would have temporarily been able to see these passwords.
4. This applies only to passwords on our web site, splunk.com, and did not impact anyone’s deployment of Splunk software or the data stored in customers’ instances of Splunk.
5. We proactively reset all potentially affected users’ passwords; cleared all of these users’ active sessions on splunk.com; purged the information from all internal log files; and then notified all affected users, sending them a new temporary password. This was a precaution.
No, we don't normally leave clear text passwords in the logs - web monkeys have been appropriately flogged.
Feel free to ask me any questions or see the updated blog post here: http://blogs.splunk.com/2010/04/24/splunk-com-password-leak/
John Mark Walker
Splunk Community Guy
- Does Apple's iOS 7 make you physically SICK? Try swallowing version 7.1
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Video Snowden: You can't trust SPOOKS with your DATA
- Hands on Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update