ForumsNewsToodledo Database Compromised


Toodledo Database Compromised
Author Message
Jake

Toodledo Founder
Posted: Nov 01, 2013
Score: 0 Reference
Dear users,

I am very distressed to report that one of our secondary databases has been compromised as part of the massive MongoHQ breach that has affected a number of companies. We were just notified about this a few hours ago. The actual breach happened on Oct 28th.

Fortunately, this is only a secondary database for Toodledo that does not contain much user data. Here is what data may have been accessed.

1) Your IP address and date when you last signed into Toodledo.
2) Your email address, but only if you have changed your email address with Toodledo in the last 90 days.
3) The names of files that have been uploaded, but not the contents of those files.
4) The titles of shared tasks that collaborators have edited within the last 30 days, but not the details of those tasks nor the names of the collaborators.

Your task details, notes, outlines, lists and account password were all unaffected.

Currently it appears that the attackers were looking for passwords to social media accounts for spamming purposes. We do not store this type of information in this database. They may also have been looking for credit card numbers, which we do not store on any database. Our feeling is that the only data that is of value to these attackers is your email address, so please be vigilant with your spam filters.

In response, we are taking the following precautions:
1) We have changed all of our administrative and developer passwords related to this database.
2) We will begin encrypting as much data as possible across our entire service (outlines, lists and passwords are already encrypted).
3) We are exploring bringing this secondary database in-house to live behind our firewall.
4) We are conducting a complete security audit of our entire company.
5) When evaluating future 3rd party vendors, we will be more cautious.

We deeply regret that this has happened. Please do not hesitate to reach out to us if you have any concerns.

-Jake
kleerkoat

Posted: Nov 04, 2013
Score: 10 Reference
I appreciate you guys being open and transparent about the attack. Thank you.
dosmandan

Posted: Nov 04, 2013
Score: 8 Reference
It's impossible to guard against every kind of attack, but it is possible to handle it well...which you have done.

Thanks!
Salgud

Posted: Nov 05, 2013
Score: 0 Reference
Thanks for being open and letting us know!
Yonten.

Posted: Nov 06, 2013
Score: 2 Reference
Yes, I very much agree with all of the above. Thanks for how you've dealt with this.

I didn't see this announced on your twitter (which is how I keep up to speed with changes and announcements). As a result, I only fell on this announcement purely by chance.

An email out to your customers would also be a cool idea in future.

Many thanks, nonetheless.
Jake

Toodledo Founder
Posted: Nov 06, 2013
Score: 0 Reference
Yes, we would have liked to email this to everyone, but we don't actually have that capability right now. Sending out over a million emails all at once is a bit of a challenge :)

We are working on adding the ability to notify everyone about important issues in a better way.
Jason Bushell

Posted: Nov 07, 2013
Score: 0 Reference
I run a website too, and it has been compromised on a couple of occasions.

Never fun.

Thanks for the notification.
virginie

Posted: Nov 07, 2013
Score: 0 Reference
I believe I have been affected.
For several days, I have not been able to sync but unfortunately, i am not sure what the exact date of the problem and if it coincides with october 28th.
Today, my toodledo is written in a foreign language, probably Russian. What do you advise me to do ?
Jake

Toodledo Founder
Posted: Nov 07, 2013
Score: 0 Reference
Virginie, your problem is unrelated. The database issue had no affect on the iOS app. Please open a support ticket and we will help you fix the app.
virginie

Posted: Nov 07, 2013
Score: 0 Reference
Posted by Jake:
Virginie, your problem is unrelated. The database issue had no affect on the iOS app. Please open a support ticket and we will help you fix the app.


Jake,
Thanks for your prompt reply.
I have deleted the apps and reloaded it. It looks normal now. Will let you know if I get further issues.

Virginie
corlebar

Posted: Nov 10, 2013
Score: 1 Reference
Well done guys and thank you for your honesty and clear direction.
conner_mp

Posted: Nov 21, 2013
Score: 0 Reference
A pop-up window appeared in my browser today, with a suspicious message. It referenced a security breach, but the pop-up window mentions that the breach was with a company called "Global Payments," the URL for the windows is from winnervisitors.com, and the window offers me a free check of my credit scores.

Your message above doesn't mention any of this, so I thought I'd verify and call this to your attention. Any further information you can provide would be appreciated.
-- Mark
Jake

Toodledo Founder
Posted: Nov 21, 2013
Score: 0 Reference
It sounds like you have gotten a computer virus. That is a classic phishing scam that you should ignore. It is unrelated to Toodledo. You should also get a virus checker to scan your computer.
Patrick

Posted: Nov 24, 2013
Score: 1 Reference
Posted by Jake:
The actual breach happened on Oct 28th.
...
Fortunately, this is only a secondary database for Toodledo that does not contain much user data. Here is what data may have been accessed.
...
1) Your IP address ...
2) Your email address, but only if you have changed your email address with Toodledo in the last 90 days.


Posted by Jake:
Yes, we would have liked to email this to everyone, but we don't actually have that capability right now. Sending out over a million emails all at once is a bit of a challenge :)


Presumably 'over a million' would be your entire user base, and the emails changed within the prior 90 days would be a much lower number. Presumably you did not 'lose' the affected database, and can identify the 90-day emails.

Whatever it took, Toodledo should have sent out an immediate advisory to the people who might have been affected. Provided with the address list there are a multitude of professional email services capable of doing this, if Toodledo lacks that relatively basic ability.

So much can be done with one's email address, which is also our userID for Toodledo. To learn of such a security breach weeks after the fact, and only because I happened to visit the forum, is very disappointing.

That email advisory should still go out.

P.


This message was edited Nov 24, 2013.
Patrick

Posted: Nov 24, 2013
Score: 1 Reference
Those interested in enhanced login security can take advantage of Toodledo's OpenID option. By utilizing an OpenID provider that allows for two-factor authentication, an OpenID-enabled account is much less susceptible to hacking, especially when logging in from others' computers or insecure locations.*
www.clavid.com is such a provider. Independent and based in Switzerland they offer a multitude of authentication options, including SMS one-time password, SyferLock, certificate, and Yubikey.
Eventually every significant web service provider will offer a TFA login option, as an alternative to static passwords. Google, Amazon, Facebook, Evernote, Dropbox do.

http://en.wikipedia.org/wiki/Two-factor_authentication
http://en.wikipedia.org/wiki/Openid
The OpenID Foundation - openid.net

Once you have your OpenID provider set up, you'll need to add your identity URL to the Toodledo account settings.

--
You can use https:// for securing all www.toodledo.com traffic during a session. Although it's somewhat discouraged in the help topic due to the additional processing load, you can "turn on encryption" in account settings, to ensure the https:// SSL connection is used by default.
http://www.toodledo.com/info/help.php?sel=29

--
The Janrain-operated myopenid.com, linked to in the Toodledo OpenID login screen and help topics, will shut down in February. Jake, please update these.
Clavid is a dedicated Authentication / Identity Provider.
Symantec's pip.verisignlabs.com is another IP, but they have fewer authentication options and no free SMS OTP. Their mobile app can be used for TFA login to PayPal and eBay.
See openid.net for other options..

--
*assuming your base account has a strong password, to start with.

Sorry for the long post. I believe it's relevant.


This message was edited Nov 25, 2013.
j2020

Posted: Dec 06, 2013
Score: 0 Reference
I am extremely disappointed not to have received an email about this, regardless of whether or not Toodledo thought the data involved was "significant". It is only by chance that I stumbled across it in the forum news and that is unacceptable.

Security, including the means to contact customers (what would you have done if the breach had been worse?) should not be optional, even if it is "a challenge :)" There doesn't seem to be a problem sending subscription renewal emails, which says a lot about the order of priorities.
Jake

Toodledo Founder
Posted: Dec 06, 2013
Score: 0 Reference
I am sorry that we were not more proactive about notifications. This is the first time that anything like this has ever happened to us, and we didn't know quite how to deal with it. We now have the capability to email everyone all at once. Before, we could only send a few thousand emails per day which was sufficient for reminder emails, but not capable of notifying everyone. If this happens again in the future (hopefully not), we will communicate better.

To give an update about other steps we have taken:

1) All data stored in the affected database is now encrypted. This includes your IP address, email address, file names and shared task titles are now encrypted.
2) We are in the process of moving this database to a new platform that has tighter security measures.
3) We are in the process of redesigning our API to improve security of your data when syncing with 3rd party apps. When we are done, 3rd party apps will no longer need to store your Toodledo password and you will be able to grant limited permissions to apps to prevent them from accessing data that you don't want the app to access.

We deeply regret that this happened, and we are taking great measures to protect user's data going forwards.
Technutz

Posted: Dec 08, 2013
Score: 1 Reference
Since I live in Toodledo and using more and more of it features, rather than an email how about a logon notice, like a maintenance notice with a link to click on for more information. I just found out about this and use it daily...

Encrypting everything I agree with.

Thanks for all your hard work.
j2020

Posted: Dec 09, 2013
Score: 1 Reference
Thank you, Jake, for the thoughtful and informative reply. I'm glad to hear about the changes that are being made.
You cannot reply yet

U Back to topic home

R Post a reply

To participate in these forums, you must be signed in.