W3C website fell victim to an SQL injection

It has come to to light today that the website of W3C (World Wide Web Consortium) has fallen victim to an SQL injection from an unknown party.

W3C announced today in a blog post that they had hired external penetration testing firm Cure53 to conduct a routine test on their infrastructure and had discovered several vulnerabilities, one of which was an SQL injection.

Upon further investigation, the W3C systems team had determined that the SQL injection had been leveraged by an unknown party and their database had been breached. The database was full of user credentials which we presume at the least contained Usernames, Encrypted passwords and E-mails. 

The W3C systems team have now fixed all of the discovered exploits and tightened their security by decommissioning all unused services and undertaken other security measures.

The passwords are encrypted but it is unknown what encryption method was used so it is not possible to determine how quickly an attacker could decrypt the hashes and be left with plaintext login information.

W3C have asked all users to reset their passwords immediately and to use the forgotten password function on the website should they have lost this information.