Important Security Update: Resetting your Credentials
May 29, 2013 | Chris Ueland
The following blog post was sent to all customers as an email communication.
Over the Memorial Day weekend the NetDNA (parent company of MaxCDN) Operations team responded to a security breach on a small number of our systems. We immediately took action to block the attackers and mitigate any further security problems.
The initial investigation has shown that the parties responsible were likely able to gain access to NetDNA user information including:
Email address and contact information
Some customer configuration information
Hashed passwords and API Keys
This means, to further assure the integrity and security of your NetDNA service, we are requiring you to:
Change your Password: We have expired all passwords. Our control panel has already reset your password if you’ve logged in recently. If you have not logged in, you will be prompted at the control panel that your password has expired and you will be asked to reset it.
Update API Credentials: Change the API keys in your code. http://support.netdna.com/tutorials/create-an-api-idkey-pair/
Strengthen your API Whitelist: If you are using our API, please make sure that only IPs you recognize are whitelisted, as an extra precaution:
Although passwords were encrypted (hashed and salted), we recommend that you change or reset passwords on other services where you may use similar passwords. We recommend you use a unique password on each service.
We use a combination of our own infrastructure and managed infrastructure provided by third party vendors. One of the third party vendors, who will be making an announcement in the coming days, had a security breach. The internal infrastructure of this provider stored certain access credentials to the IPMI module on some of our remote servers (used for remote access); this is where the intruder gained their initial point of access. As a result of this vulnerability, a web server containing customer information on our network was able to be accessed. We have been working around the clock since discovering this.
What are we doing about it?
We have currently locked down all entry points. We will continue to stay vigilant.
We are forcing system wide password changes using bcrypt.
We have removed wildcard API whitelisting.
All internal passwords have been changed.
We will launch more security features for you in the coming weeks.
Is my payment information compromised?
No, the system that stores customer credit card and billing information was NOT affected or accessed.
What were the hackers targeting?
Why didn’t we contact you immediately?
We took immediate action to secure our systems. We wanted to understand any threats through investigation and system wide lock-down. We are now notifying you with a clearer understanding of what has happened and what this means for you.
What else do I need to do to be aware of?
If you are hosting at a managed service provider, as many of our customers do, make sure that all credentials are as locked down as possible.
I don’t remember my password, how can I change it?
For this process, we’ve disabled the “Forgot Password” feature on our control panel login page. Please contact support to verify your account – email@example.com.
Will you be releasing more information?
Yes, we will release as much information as possible as soon as possible. We will be as transparent as possible. We have an ongoing investigation into the incident. We are working with the appropriate Federal authorities who are investigating the attack. We are also working closely with our vendors to share information used in jointly securing our systems.
As similar events with other large internet services have shown, this type of activity has become increasingly prevalent. We take our responsibility to protect your data with the utmost seriousness. We are working to improve our defense against such attacks by performing policy changes, security audits and lockdown, and system upgrades.
We are very sorry for the inconvenience that we have caused you. We will post a detailed post mortem and a list of security features that we have added to prevent things like this from happening in the future on our blog. You may also contact me directly or our support team at any time.