I didn't receive an email from them (it was sent to my old email address). I went directly to Ravelry after reading your post. This is what is on their home page after I logged in:
Important information: Security Breach
An attacker recently managed to break in to one of our secondary servers. Once inside, they were able to access user names and encrypted passwords.
We think that it is best to be overly cautious and we are requiring you to change your password on Ravelry. We suggest that you also change your password on any other sites where you've used the same or similar password.
The passwords that the attacker was able to access were encrypted and your password is most likely safe. We are being cautious because modern password cracking technology is very sophisticated and given enough time and money or resources, the attacker could potentially recover some of the passwords.
No financial information or other sensitive information was accessed: we do not collect or store this type of data. Patterns for sale are stored securely and they were not viewed or downloaded and private correspondence (messaging between users) was not accessed either.
Please take this opportunity to set up different passwords for different sites. There are several good "password manager" applications that can help you keep track of your passwords.
We are deeply sorry that this has happened. We care very much about all of you and we never want something like this to happen again. If you have any questions or concerns at all, please post in this forum thread or email Sarah at
[email protected].
How did this happen?
An attacker tried various methods to gain access to our servers. While most of these methods were unsuccessful, the attacker did eventually find a weak link, and was able to compromise the system that ran our blog. Once they had access to this system they were able to access other data that resided on the on the same server.
How will you make sure that something like this doesn't happen again?
First, and probably most importantly, we are working with an information security consulting firm that will help us audit and test our current and future systems. We are a tiny company with a small staff and only one engineer/programmer but we still take security very seriously. Having outside help will be a double-check that helps us catch mistakes before they become problems.
Secondly, we are reviewing all of the software we use to run our systems, and eliminating everything we can to reduce our exposure to attackers. As an example, the software we used to run our blog was not only completely re-installed, it was also moved to a separate web host to limit exposure in the future. We are also using new technologies to help detect and automatically block certain types of attacks
Finally, we are doing as much as possible to limit the exposure of data should a breach occur. All sensitive data in our databases is protected with strong encryption, and we are working to identify any areas where data could leak from our systems.
This has been a really frustrating and upsetting experience but the silver lining is that we are in a better position to make sure that your information is safe. We want you to have confidence that we are doing everything we can to make sure that your Ravelry is positive and safe. Thank you so much your patience and understanding as we work through this.
----- me again
Once you change your password, if you logout and go back in, that message no longer appears. I found the thread where they were talking about it. And yes, they are sending out emails alerting people to the breach.