On Tuesday, October 25th, for a short period our website started advertising essay writing services. As you might expect, that was spam and it shouldn’t have happened, however we can assure you that no data was compromised. We always want to be open when things go wrong, as much as when they go right, so here’s the lowdown on how it happened.
Like most companies and websites, we experience a never ending barrage of cyberattacks. As you are reading this, I can basically guarantee that someone, somewhere is trying to compromise one of our servers for one reason or another. Most of these are automated, not targeted at us specifically, just probing as many websites as possible looking for a crack in the firewall, and yesterday they found one.
Recently while addressing a completely unrelated issue, we temporarily disabled some of the security policies that mitigate against particular attack methods.
A brute force attack is a fancy way of saying – try all the things! In this case, try all the possible passwords. If you think of a simple combination lock with 4 numbers, there are only 10,000 possible combinations – so even a human can eventually try them all and find the correct combination to open the lock. Add a computer to the mix and that whole process could take a few seconds.
But what if you limit the number of guesses allowed? If you only allow 3 wrong attempts per day, all of a sudden you’ve leveled the playing field. Even for a computer that simple 4-digit combination lock might take up to 9 years to crack! Now I can assure you that the passwords our team use are more complex than a 4-digit number, but the same principles apply – the math is just a little more complicated.
Now for the good news. The account they gained access to did not have administrative privileges or system level access and all passwords we use are unique. So they could not install anything malicious nor use the credentials they discovered to login to any other system, but they could publish new content to our blog, and they did.
Thanks to our vigilant community members for flagging this, we were able to take it down very quickly, and immediately locked down the compromised account. We then engaged the assistance of independent experts to help us confirm exactly what actions were taken by the attackers after gaining access. We confirmed that no other malicious activity had taken place, and most importantly that no customer data had been accessed in any way.
Whilst it’s great that nothing major happened, it shouldn’t have happened in the first place. Like most security fails, it was human error, and we’ll be reviewing our processes going forward to see how we can continue to improve.
But for now – definitely don’t buy essay writing services from us. And if you care deeply about the thing you’re locking up, probably skip the combination locks too.
Gez is the Director of Developer Relations at Mycroft. He comes from the land down under, has a strange love of crocodiles, and one day hopes to play the ukulele. If he’s not hanging out in our Community Chat and Forums, he is probably getting lost in the bush.