Incident Summary

We've identified an increase in the compromise of accounts within the last week through targeted attacks on known accounts, which were not protected by two-factor authentication. We're still actively investigating this malicious activity, but our preliminary analysis has revealed that a bad actor has targeted Customer.io to steal data and send spam messages.

Timeline

Oct 19, 2019 Attack on Customer A

Oct 21, 2019 20:15 (BST) Account enumeration attack started

Oct 21, 2019 Attack on Customer B

Oct 22, 2019 18:40 (BST) Account enumeration attack detected and stopped

Oct 23, 2019 Attack on Customer C

Oct 23, 2019 17:50 (BST) Multiple attack attempts on different accounts from the same IP identified

Oct 23, 2019 18:20 (BST) UI set to read-only mode

Oct 23, 2019 18:30 (BST) UI Session invalidation, Password reset for compromised accounts.

Oct 23, 2019 Extensive auditing of user accounts and access

Oct 23, 2019 23:00 (BST) First communication with users.

Oct 24, 2019 Ongoing investigation and corrective measures

Root Cause

The attackers used an enumeration attack on our signup form and identified valid customer.io accounts by abusing the API.
The attackers then gained access to identified accounts using a preexisting password list. All of the unauthorized access was attained using the correct username and password for the account. It's highly likely that from one of the significant breaches, like those collected in combos like Collection #1, Anti Public, or http://exploit.in these credentials were obtained . All the affected accounts showed as "owned" on haveibeenpwned.com.
The affected accounts did not have two-factor authentication enabled as an extra security layer.
The attackers used the access they obtained to send spam messages or in some cases, to export and download the emails list of customers.

Resolution and Recovery

As soon as we became aware of the actual scale and nature of the attack and determined that the incidents were not isolated, we immediately set the UI to read-only mode and invalidated all active sessions. We then proceeded to identify all accounts that were already compromised and force-reset their passwords. We contacted all our users to suggest the use of 2FA since it is a very effective defense against attacks like this. We have identified action items for improvement in our password policy, security settings, authentication handling, and other sections, and we are actively working in this direction. Investigation for this incident is still ongoing.

Corrective and Preventative Measures

A new feature was released today, Oct 24, which allows administrators to make two-factor authentication mandatory for all users in an account.
We are working on and will release in the next few days a stricter password policy, and are working on other initiatives to defend against attacks of this nature.
We hardened the signup form against this form of attack.
We are working to improve monitoring and alerting to detect these types of attacks.

Posted Oct 25, 2019 - 22:56 UTC

Resolved

Read Only access has been turned off, and now team member privileges have been restored. We truly apologize for the inconvenience.

Posted Oct 23, 2019 - 22:15 UTC

Monitoring

We’ve isolated the suspicious behavior in our app and will be removing the read-only state we activated shortly.

This incident affects a small number of customers (less than 10) and was a compromise of user passwords that do not use 2FA to secure your account.

We are reaching out to all customers affected directly and will be providing more information once our investigation concludes.

Posted Oct 23, 2019 - 21:24 UTC

Investigating

Our engineers are currently investigating a security issue and have temporarily set all Customer.io accounts to read-only access out of an abundance of caution. We will update again at 20:45 UTC

Posted Oct 23, 2019 - 20:30 UTC

This incident affected: Management Interface.