This article is more than 1 year old
PagerDuty hacked ... and finally comes clean 21 days later. Cheers
Have a great SysAdmin Day everyone
Why not celebrate SysAdmin Day by worrying about a data breach at incident management peddler PagerDuty? An attacker managed to get into the company's systems on 9 July, and a belated 21 days later the company did the decent thing and informed its customers about the incident.
'Fessing up to the breach on its website, PagerDuty admitted that it detected an unauthorised intrusion by an attacker who exfiltrated "some information" about its customers back in early July.
An email sent to customers and seen by The Register is more revealing about what was exposed. The company acknowledged the attacker "gained unauthorised access to our users' names, email addresses, public calendar feed URLs, and hashed, salted and peppered passwords".
Andrew Miklas, the company's co-founder and CTO, stated that there is no evidence the attacker was able to access the pepper, which he states "makes it computationally infeasible that the hashed passwords can be used in any way by the attacker".
A concern noted by Scott Arciszewski, among others, however, raises questions regarding the pepper.
Referencing a blog post by Anthony Ferrara, Arciszewski reminded Miklas that a common, and improper implementation of the pepper may make it redundant.
"Passwords are hashed with a salt and pepper" @pagerduty
40ch salt+40ch pepper for bcrypt?
https://t.co/GlRNInB6y1 pic.twitter.com/j2cotLj3D6— Michal Špaček (@spazef0rze) July 30, 2015
The CTO, who has been otherwise active in the comments, has yet to provide an answer.
Miklas stated an absence of evidence (which, of course, is not necessarily an evidence of absence) that either "corporate, technical, financial or sensitive end-user information, including phone numbers" had been exposed.
The CTO additionally apologised for the incident and encouraged concerned customers to contact the company directly. He explained:
Based on the investigation, the attacker bypassed multiple layers of authentication and gained unauthorised access to an administrative panel provided by one of our infrastructure providers.
With this access, they were able to log into a replica of one of PagerDuty’s databases.
The evidence indicates that the attacker gained access to users' names, email addresses, hashed passwords and public calendar feed URLs.
Asked by a customer if the company would be posting a postmortem explaining how the attackers got in and how the company would prevent future breaches, Miklas stated: "The attacker gained unauthorised access to an administrative panel provided by one of our hosting providers. At the request of law enforcement, we are not able to provide additional information."
As a precautionary measure, the company is asking its users to set new strong passwords following the breach.
Users that do not reset their password by Monday, August 3 at 12:00pm Pacific Time will be automatically logged out of the website and will receive an email prompting them to reset their password.
At no time will alert delivery be affected by this process.
PagerDuty additionally recommends that customers reset calendar feed URLs and revoke and re-add access to any mobile devices linked to their PagerDuty account. ®