Important Note to Our Clients: Chartbeat Phishing Attack
This week, Chartbeat was subject to a phishing attack as part of an ongoing campaign from the Syrian Electronic Army that recently affected Outbrain, SocialFlow, and a number of other sites.
Let me say first that no client’s site was affected. No action was taken on or from a client site. However, four Chartbeat Publishing clients’ dashboards were viewed by unauthorized parties and a handful of passwords were reset by these wankers. I’ve been on the phone with every one of the partners whose dashboards were viewed as we continue to investigate this. If I have not contacted you directly, we don’t feel there’s a need for concern at this point, but if you’d like and it would make your more comfortable, feel free to reset your password.
Though it appears this incident only involved a few clients, we’re sharing this information publicly because we believe in transparency above all else and have our clients’ data and security as our absolute top priority. In the next day, our development and web ops team will be writing a complete post on all of the security measures and updates we’ve had in place, put in place and will put in place.
That’s the gist, for those who want to know more, here’s what we know:
So what happened?
We’ve been investigating this intensively since the phishing attack and, as of now, we’ve found that there was unauthorized access of a Chartbeat employee account. No client sites were accessed. Chartbeat Publishing dashboards for four of our clients were viewed and attempts were made to set and reset passwords for a handful of their Chartbeat accounts. As soon as we found out, we disabled access. In addition, the Chartbeat Twitter account was hacked for less than five minutes on Thursday early morning. This is what we know and we will continue to share more with you here and in future posts as we learn more.
Was your dashboard accessed?
Our investigation shows that only four dashboards have been accessed, and we have directly contacted those four clients. If I haven’t directly contacted you (phoned and emailed), our investigation indicates that your dashboard was not accessed. If you see anything unusual however small, please email support@chartbeat.com (which goes to all of us) or via Twitter at @Chartcorps. We are continuing to monitor and investigate around the clock.
Is there anything else for you to do?
Nope, but if you feel more comfortable, you can reset the passwords to your Chartbeat accounts — as a precautionary protective measure.
How will we keep you informed?
We’re continuing to investigate, and if we learn anything new that directly relates to you, your account, or your site we will contact you immediately. If we learn anything new that’s worth sharing more broadly, we’ll update this post.
One more thing from the whole Chartbeat team…
We feel terrible about this. That’s an understatement, really. We are taking this incident incredibly seriously, and we’re here to answer any questions you have, whenever you have them. Please do not hesitate to email us with any question or concern you have. You and your security is our absolute number one priority.