I'm not sure how this protects users? SF was already compromised. If someone gained access to the passwords in their database, they're already out in the wild. Changing your password now has zero benefit to the user outside of protecting access to SF itself.

> I'm not sure how this protects users? SF was already compromised.

The passwords were potentially compromised. Changing the passwords for their users means the user accounts won't work with the (potentially) compromised passwords any more.

> If someone gained access to the passwords in their database, they're already out in the wild. Changing your password now has zero benefit to the user outside of protecting access to SF itself.

If the user is using one password for all websites that's a separate problem. This move is to protect SF users' accounts.

Both of which are protection for SF, not for the user. Personally, I use a utility called 1Password, which means I don't use the same password for very many sites. My point is that for those who do use the same password for SF as well as other sites, this move doesn't protect them. It only protects SF.

In short, I disagree with the wording of the title. This does nothing to protect users, it only protects SF.

What more could they be doing?

Nothing. The breach is over. And they should force user password changes. I'll say it again. I'm simply disagreeing with the phrasing of the title painting this as protecting users.

Didn't realize anyone still used SF anymore...everything seems to be on GH these days :)

"whats a sourceforge?"

... thinking the same thing. github is the new sourceforge.

Whats wrong with it? Most projects that use it have used it for ages...

So the passwords were NOT taken from the DB (should not be in there anyway, just a hash of them) but rather sniffed over the network itself?

Since I don't use SF these days, I'm not resetting my password. If they can't properly protect my password, I'm not giving them a new one.