It’s not often that I give out praise for how a company handles a security breach, especially one that could contains usernames and passwords. Normally, the scenario is as follows:
- Ask for forgiveness and promise to never, ever, do it again
This was not the case today when I was notified by MaxCDN , whom I use for a CDN service for the site, about an apparent breach over the the Memorial Day weekend. They seem to have quickly identified the breach, closed off loopholes, and notified me of everything that was going down to include that my password would need to be reset. Actually, they went beyond that in that I know for a fact that they immediately expired everyone’s passwords because I found it old several nights ago that I was prompted to reset my password. At the time, I thought “Oh well, must have been something that I did or didn’t do” when in fact it was MaxCDN’s team going about ensuring the integrity of the system.
Below, is the copy of the email that I received from their team. Kudos to the people involved.
Sent: 5/30/2013 12:42 PM
Subject: Important Security Update: Resetting your Credentials
Over the Memorial Day weekend the NetDNA (parent company of MaxCDN) Operations team responded to a security breach on a small number of our systems. We immediately took action to block the attackers and mitigate any further security problems.
The initial investigation has shown that the parties responsible were likely able to gain access to NetDNA user information including:
· Email address and contact information
· Some customer configuration information
· Hashed passwords and API Keys
This means, to further assure the integrity and security of your NetDNA service, we are requiring you to:
· Change your Password: We have expired all passwords. Our control panel has already reset your password if you’ve logged in recently. If you have not logged in, you will be prompted at the control panel that your password has expired and you will be asked to reset it.
· Update API Credentials: Change the API keys in your code. http://support.netdna.com/tutorials/create-an-api-idkey-pair/
· Strengthen your API Whitelist: If you are using our API, please make sure that only IPs you recognize are whitelisted, as an extra precaution:
Although passwords were encrypted (hashed and salted), we recommend that you change or reset passwords on other services where you may use similar passwords. We recommend you use a unique password on each service.
We use a combination of our own infrastructure and managed infrastructure provided by third party vendors. One of the third party vendors, who will be making an announcement in the coming days, had a security breach. The internal infrastructure of this provider stored certain access credentials to the IPMI module on some of our remote servers (used for remote access); this is where the intruder gained their initial point of access. As a result of this vulnerability, a web server containing customer information on our network was able to be accessed. We have been working around the clock since discovering this.
What are we doing about it?
· We have currently locked down all entry points. We will continue to stay vigilant.
· We are forcing system wide password changes using bcrypt.
· We have removed wildcard API whitelisting.
· All internal passwords have been changed.
· We will launch more security features for you in the coming weeks.
Is my payment information compromised?
No, the system that stores customer credit card and billing information was NOT affected or accessed.
What were the hackers targeting?
Why didn’t we contact you immediately?
We took immediate action to secure our systems. We wanted to understand any threats through investigation and system wide lock-down. We are now notifying you with a clearer understanding of what has happened and what this means for you.
What else do I need to do to be aware of?
If you are hosting at a managed service provider, as many of our customers do, make sure that all credentials are as locked down as possible.
I don’t remember my password, how can I change it?
For this process, we’ve disabled the “Forgot Password” feature on our control panel login page. Please contact support to verify your account – firstname.lastname@example.org.
Will you be releasing more information?
Yes, we will release as much information as possible as soon as possible. We will be as transparent as possible. We have an ongoing investigation into the incident. We are working with the appropriate Federal authorities who are investigating the attack. We are also working closely with our vendors to share information used in jointly securing our systems.
As similar events with other large internet services have shown, this type of activity has become increasingly prevalent. We take our responsibility to protect your data with the utmost seriousness. We are working to improve our defense against such attacks by performing policy changes, security audits and lockdown, and system upgrades.
We are very sorry for the inconvenience that we have caused you. We will post a detailed post mortem and a list of security features that we have added to prevent things like this from happening in the future on our blog. You may also contact me directly or our support team at any time.
You are receiving this email because you are a MaxCDN customer.