Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

PagerDuty hacked ... and finally comes clean 21 days later. Cheers

Have a great SysAdmin Day everyone

Why not celebrate SysAdmin Day by worrying about a data breach at incident management peddler PagerDuty? An attacker managed to get into the company's systems on 9 July, and a belated 21 days later the company did the decent thing and informed its customers about the incident.

'Fessing up to the breach on its website, PagerDuty admitted that it detected an unauthorised intrusion by an attacker who exfiltrated "some information" about its customers back in early July.

An email sent to customers and seen by The Register is more revealing about what was exposed. The company acknowledged the attacker "gained unauthorised access to our users' names, email addresses, public calendar feed URLs, and hashed, salted and peppered passwords".

Andrew Miklas, the company's co-founder and CTO, stated that there is no evidence the attacker was able to access the pepper, which he states "makes it computationally infeasible that the hashed passwords can be used in any way by the attacker".

A concern noted by Scott Arciszewski, among others, however, raises questions regarding the pepper.

Referencing a blog post by Anthony Ferrara, Arciszewski reminded Miklas that a common, and improper implementation of the pepper may make it redundant.

The CTO, who has been otherwise active in the comments, has yet to provide an answer.

Miklas stated an absence of evidence (which, of course, is not necessarily an evidence of absence) that either "corporate, technical, financial or sensitive end-user information, including phone numbers" had been exposed.

The CTO additionally apologised for the incident and encouraged concerned customers to contact the company directly. He explained:

Based on the investigation, the attacker bypassed multiple layers of authentication and gained unauthorised access to an administrative panel provided by one of our infrastructure providers.

With this access, they were able to log into a replica of one of PagerDuty’s databases.

The evidence indicates that the attacker gained access to users' names, email addresses, hashed passwords and public calendar feed URLs.

Asked by a customer if the company would be posting a postmortem explaining how the attackers got in and how the company would prevent future breaches, Miklas stated: "The attacker gained unauthorised access to an administrative panel provided by one of our hosting providers. At the request of law enforcement, we are not able to provide additional information."

As a precautionary measure, the company is asking its users to set new strong passwords following the breach.

Users that do not reset their password by Monday, August 3 at 12:00pm Pacific Time will be automatically logged out of the website and will receive an email prompting them to reset their password.

At no time will alert delivery be affected by this process.

PagerDuty additionally recommends that customers reset calendar feed URLs and revoke and re-add access to any mobile devices linked to their PagerDuty account. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like