11 April 2020 Open Tree Security Incident

The most recent info about the hack

We are updating this Google Doc with information about the hack of our servers on 11 April, 2020.

First note sent to our googlegroups list:

Today (Apr 11 in the afternoon US time) several of the Open Tree of Life webservers were compromised by hackers. We are assessing the vulnerability, and think that it is probably in one of the web frameworks that we are using. We have taken the servers offline. We’ll be bringing the servers back online after we complete a security audit.

The attack appears to be a part of exploiting servers for a denial of service attack, rather than an attack specifically targetted on the Open Tree of Life project.

As you know, if you have curated a phylogenetic study or used Open Tree’s comment system, we don’t maintain a database of users. Rather we rely on GitHub web authentication to associate curation and comments made by users with their GitHub user names. Out of an abundance of caution, we have revoked all of the user permission tokens from the Open Tree app. So, when we do have curation re-enabled, you will have to log in and reauthorize Open Tree in order to edit studies.

Feel free to contact us with questions via email or our gitter channel. https://gitter.im/OpenTreeOfLife/public

We apologize for the down-time and the security breach.

Sincerely, Mark Holder on behalf of the Open Tree of Life team.