[Repost from 8/23] CTO Update: Phishing Attack

August 23rd, 2013 by Wes

You saw in our CEO Tony's post yesterday that Chartbeat was a target of a phishing attack this week. It’s my job to make sure any attempts like these aren’t successful, so it pains me to say when an attack was, to any extent. But I want you guys to understand what we learned, so you can benefit from our experiences, just as we benefitted from the swift action and transparency displayed by our peers (Outbrain, SocialFlow, and others). This week, we went from sympathizers of their experience to empathizers and hope that through this post and all our learnings, you can remain in the camp of the former, and avoid fully the camp of the latter.

I’d like to give you as many details about what security measures we had in place to protect our site and yours, what measures we immediately put in place, and what we are putting in place over the coming days. I apologize in advance if any of this seems vague. While I want to be as transparent as possible with you, we don’t want to give anyone a roadmap as to how they can access Chartbeat or your site. Know that there are many, many layers of protection beyond the high level overview I’ve included here.

Protection we’ve had in place

  • Internal admin and infrastructure checks. We have multiple checks in place to detect any unauthorized activity on our internal infrastructure or tampering of any code that would affect any clients. That’s how we were able to see impact was internal to Chartbeat alone.

  • Extremely limited access to anything that affects a client site. Within our own admin system, we have multiple layers of security and access by only a few key team members that make any access someone would have through a general intrusion incredibly limited.

  • Two factor authentication for all of our vendor accounts that support it. Oddly enough, two-factor, in this instance, did not prevent a user from being compromised. But it's undeniably better to have it than not to have it. Google explains what this is and how it helps well.

  • Geo-location and IP-address web access logs. We immediately examined web access logs combined with geo location, and Gmail's IP address login trail. These were indispensable tools for figuring out what parts of our system the attackers accessed.

Protection we immediately put in place

  • Complete lock down actions. We immediately changed passwords for all affected customers, all employees, expired API keys and cookies, and implemented even stricter, across-the-board measures on sharing and storing of user names and passwords.

  • Additional employee email security. We configured our email system to be more aggressive about flagging phishing attempts. Additionally, we'd previously been using an encrypted password manager for important external account information. We're now rolling it out for all teams.

  • Internal team communication and behavioral change. This step is incredibly important. After the Outbrain and SocialFlow activities, we had an all-hands meeting to discuss personal security options. We’ve had discussions and updates with our team multiple times a day through multiple channels to make sure everyone knows what we’re doing and more importantly what they can do. But the biggest thing we’ve learned is that security is everyone’s responsibility. It’s not something we simply message but something that everyone is working on constantly. There will always be more we can do because those pursuing these methods are always out to do more, and it’s important that every single person on the team believes in that and acts on it.

Protection we’re working to get in place

  • Outside security firm ramp up. We'll continue to work with our internal and external security firms to make sure that we have all of our bases covered and that we're being as proactive as we can.

  • Two-factor authentication for all Chartbeat products. This will mean that you, as a customer, will be able to add this additional measure of verification to Chartbeat or Chartbeat Publishing. Our friends at SocialFlow added this feature to their products recently, also.

Those are just some of the things we’re working on and we’d love to hear your thoughts and learnings on what we could do going forward. We know this is continuous and ongoing, systematic work.

I hope this helps you to know that your sites have been and are protected, and that there are things that all of us can do to work together to build up stronger and stronger enforcements across the web.