Hackers have compromised a private e-mail list used by Linux and BSD distributors to share information on embargoed security vulnerabilities and used a backdoor to sniff e-mail traffic, according to the moderator of the list.
In a note to "Vendor-Sec" members, moderator Marcus Meissner said he noticed the break-in on January 20 but warned that it might have existed for much longer.
I have disabled the specific backdoor, but as I am not sure how the break-in happened it might reappear. So I recommend not mailing embargoed issues to vendor-sec@....de at this time.
Immediately after Meissner's warning e-mail, the attacker re-entered the compromised machine and destroyed the installation.
The "Vendor-Sec" list is used by distributors of free/open-source OS and software to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to co-ordinate the release of security updates by members.
This means that a compromise and the capturing of e-mails could have serious consequences.
Meissner has since killed the list:
So everyone please consider vendor-sec@....de is dead and gone at this point, successors (or not) will hopefully result out of this discussion.
The H Security notes that this isn't the first compromise of the "Vendor-Sec" list. In 2005, black hat hackers reportedly hijacked a kernel exploit for root access from the list.