We've identified an increase in the compromise of accounts within the last week through targeted attacks on known accounts, which were not protected by two-factor authentication. We're still actively investigating this malicious activity, but our preliminary analysis has revealed that a bad actor has targeted Customer.io to steal data and send spam messages.
Oct 19, 2019 Attack on Customer A
Oct 21, 2019 20:15 (BST) Account enumeration attack started
Oct 21, 2019 Attack on Customer B
Oct 22, 2019 18:40 (BST) Account enumeration attack detected and stopped
Oct 23, 2019 Attack on Customer C
Oct 23, 2019 17:50 (BST) Multiple attack attempts on different accounts from the same IP identified
Oct 23, 2019 18:20 (BST) UI set to read-only mode
Oct 23, 2019 18:30 (BST) UI Session invalidation, Password reset for compromised accounts.
Oct 23, 2019 Extensive auditing of user accounts and access
Oct 23, 2019 23:00 (BST) First communication with users.
Oct 24, 2019 Ongoing investigation and corrective measures
As soon as we became aware of the actual scale and nature of the attack and determined that the incidents were not isolated, we immediately set the UI to read-only mode and invalidated all active sessions. We then proceeded to identify all accounts that were already compromised and force-reset their passwords. We contacted all our users to suggest the use of 2FA since it is a very effective defense against attacks like this. We have identified action items for improvement in our password policy, security settings, authentication handling, and other sections, and we are actively working in this direction. Investigation for this incident is still ongoing.