Ebay, Adobe, Meetup, Evernote, Feedly, Home Depot Vimeo, Shutterstock, Bit.ly, MailChimp, Domino's Pizza, JPMorgan, and Target. The common link between these companies is that they have all suffered embarrassing data breaches and DDoS attacks.
The latest on the list is BrowserStack, which became a victim of hack attack on 9th of November .
YourStory spoke to Ritesh Arora from BrowserStack about the attack, and he said, “As of now we are super busy talking to our customers. Our entire tech team at BrowserStack is busy with an internal security audit, and then we’ll be doing an external audit. This may take a day or two normalize.”
Talking about where the attack originated from, he added, “We have the IP trace. We are connected with the hosting providers where the hacker came from. We have the information, but it’s too early to disclose anything yet. We’ll be looking at legal action. We’ve just sent an email to all our 800,000 registered users, even if they didn’t get that spam email from the attacker. They have the right to know what happened here.”
Here is what we know about the attack
BrowserStack runs thousands of servers on Amazon Web Services. The company reportedly said the attacker targeted its inactive and old prototype machine that didn’t have appropriate patch installed. The hacker was able to penetrate the security through this inactive machine. And the database logs confirmed that user data was copied and the attacker sent this email to the list. As per the post-mortem analysis that the company performed, no payment data and user test history was compromised. The company didn’t specifically mention how many customers have been affected.
What was the extent of the damage?
The company released a postmortem report: Our database logs confirmed that user data was partially copied, but no user test history was compromised. Therefore, all user data remains wholly intact. Most crucially, credit card details were not compromised, as we only store the last four digits of the credit card number, and all payment processing takes place through our payment processing partner. All user passwords are salted, and hashed with the powerful bcrypt algorithm, which creates an irreversible hash which cannot be cracked. However, as an added precaution, we suggest that users change their BrowserStack account passwords.
We were able to verify the actions of the hacker using AWS CloudTrail, which confirmed that no other services were compromised, no other machines were booted, and our AMIs and other data stores were not copied.
In addition, our production web server logs indicate that we were experiencing shellshock attempts, but they failed because the production web server has the necessary patches to foil all such attempts.
According to BrowserStack, it has deployed the following to mitigate and prevent further incidents:
- After taking down the service, we revoked all the existing AWS keys and passwords, and generated new ones immediately, as an added security measure.
- Subsequently, we went through all the SSH logs, web server logs, as well as AWS Cloud Trail logs, to ensure that no more damage was done.
- We are migrating all backups to encrypted backups, and removing all unencrypted ones.
- We have also put in several additional checks and alerts, which are triggered on specified AWS actions. As a precautionary measure we have also created new VM snapshots and have replaced all the existing ones.
- To prevent further incidents, we are in the process of evaluating certain VPC/VPN options to enhance our security measures.
- We’re going to have a security audit conducted by an external, independent agency.
The lesson to be learned from here is why it is so important to take incorporating patches seriously. Take care of your passwords hash, salt, and hash again, and then store the account credentials on a secure web database server.