Recently we were, unfortunately, the victim of a hacker attack against our system. Now that the incidence is over, we are working hard to ensure this type of breach never happens again. Below is a quick analysis of what happened, and a synopsis of what we are and will be doing.
First off, we traced the attack to a login on our notification system that had been compromised by hackers. Once compromised, the hacker accessed our notification system, then used an automated script to trigger inappropriate and unauthorized push notifications. The use of the script ensured that the messages won’t show up in our normal dashboards, where they could have been easily spotted. The sophistication of the hack seems to indicate that these hackers are experienced and have an intimate knowledge of how notification systems work. The one silver lining in all of this is that they appeared to have not breached any other systems.
Since an insecure login was the primary vector of this attack, in order to ensure this doesn’t happen again, we are implementing a series of changes to specifically address these types of issues:
- Remove none-critical logins: This attack was facilitated through a rarely used login that wasn’t properly secured. So, clearly the first step is to scrub through all of our systems and remove any non-essential logins.
- Stronger login security: Where logins are still needed, we are enforcing stronger password requirements. In addition, where 2-factor-authentications are feasible, we implement them. This way even if passwords were compromised in the future, hackers still wouldn’t be able to log into our system.
- Tighter roles/permission: We are also reviewing all the permissions that each login has to make sure it only has what’s needed, and no more. This ensures that even if logins are compromised, the damage would be contained.
In addition to these improvements, we want to reassure our users that our core system architecture had always been designed with security in mind. From minimizing data collection, to data isolation, to service isolation, to DDoS protection, we do work hard that the trust our parents and children have placed in us is upheld.
To sum up, we screwed up on this one! We are taking steps to prevent something similar from happening again. We really do appreciate the tremendous support and help that we received from all of our users. We couldn’t be doing this without you. Thank you!