One or more miscreants have been able to slurp and leak usernames and passwords from Bitdefender. The unencrypted login details belonged to some of the security biz's small business customers.
The crims wanted $15,000, or they would reveal the swiped customer records. Now some of that data has leaked online.
In response to queries from The Register on this score, Bitdefender said its systems were not infiltrated, but information was obtained. (It's possible the logins were intercepted by an attacker who managed to access the controls of Bitdefender's Amazon cloud account.)
Bitdefender told us:
We recently found a potential security issue with a single server. We immediately launched an investigation and found that a single application was concerned – a component of the public cloud – exposing a very limited number of usernames and passwords. Our investigation also revealed that the server was not penetrated, but a vulnerability potentially enabled exposure of a few user accounts and passwords.
The issue was immediately resolved and additional security measures were put in place in order to prevent it from reoccurring. As an extra precaution, a password reset notice was sent to all potentially affected customers, representing less than 1 per cent of our SMB customers. This does not affect our consumer or enterprise customers. Our investigation revealed no other server or services were impacted.
Bitdefender takes security of its customers very seriously and any issue that might involve the security of our customers or the security of our servers is treated with the utmost urgency and seriousness.
Breaches at security firms are always awkward and embarrassing, even if they're relatively minor. If you set yourself up to secure the systems of clients, then a perceived or real failure to keep your own house in order never looks good. ®