I’m not sure what route we are going to take, this is probably going to end it for us for BS. Once certain people get wind of this they are going to cut it off fast.
The real question is the legitimacy of the claims. It is one thing to get hacked, but an entirely different thing if the hack isn’t as bad as it sounds. The anonymous email on pastebin made it sound horrid.
We actually don’t use browser stack (much – if at all). We actually have VMs here internally with the browsers we “support”.
Time will tell. I haven’t seen a lot of information coming from BrowserStack themselves, other than admitting to the hack and taking actions to stop additional access by said hackers (assuming this is what they meant by “sanitizing entire BrowserStack”).
They did note on Twitter that the hacker’s access was only limited to an email list. It seems that the downtime was a preventative closure on their end to investigate the breach. If that’s true, does that affect how we feel about it? I guess I feel like such an organization should be all about security. I know mistakes happen… but… I don’t know. It shakes your confidence, doesn’t it? I’ve used them before for my own work, and it was on the agenda for discussion with my boss this week, oddly enough. Think I may pull that recommendation now… not sure.
Keep in mind, as your site becomes more well known, you become a bigger target. Hackers will undoubtedly pound your systems to see what security holes they can find. Access to a mailing list is minor. Take a look at the recent security breaches, Home Depot, Target, etc. and it becomes quite obvious that BrowserStack’s issues are not nearly as scary.
If the hackers found a way to pull up past data from the VMs, retrieve the credentials used in those sessions, etc. We’d be having a much more difficult conversation right now. That would be a serious problem, one that should have been well considered years ago.
It wouldn’t surprise me if BrowserStack used a third party mailing list application and one of the admin/editor accounts was hacked into so they could send out a massive email to everyone. If you ask me, that just means someone choose a poor password, or re-used an existing password on another site (that was easier to hack).
I just hope BrowserStack does the right thing here and outlines what exactly happened. The more companies do that, the more aware the rest of the population becomes in creating secure unique passwords or in ways to better protect themselves and the companies they represent.
I just hope BrowserStack does the right thing here and outlines what exactly happened. The more companies do that, the more aware the rest of the population becomes in creating secure unique passwords or in ways to better protect themselves and the companies they represent.
Absolutely, yeah. They’ve said when the dust settles we’ll get a post-mortem, so here’s to hoping it’s a thorough and honest one, or as much as it can be safely. And that it really was just emails
Access to a mailing list is minor.
…
It wouldn’t surprise me if BrowserStack used a third party mailing list application and one of the admin/editor accounts was hacked into so they could send out a massive email to everyone.
…
I just hope BrowserStack does the right thing here and outlines what exactly happened.
Yeah, that’s why I’m waiting to let anyone know about this. The people who could and would cancel our access are absolutely not technologically inclined. They would probably freak out if they knew I frequented HN.
Though at some point, I’m going to have to bring it up.
Yeah, that’s why I’m waiting to let anyone know about this. The people who could and would cancel our access are absolutely not technologically inclined. They would probably freak out if they knew I frequented HN. smile
Fair point. And my boss is technically inclined, but is also inclined to security panic. Maybe I’ll wait to have that discussion we were going to have, too
Automate and Screenshot services are up and running. Live will shortly be up. We will email all users with the entire analysis of the attack soon. Once again, we apologize and regret any inconvenience caused and the startling email you received. Thanks for your patience.
It is great to see someone from BrowserStack to chime in here. I look forward to seeing/reading about what happened (always looking for opportunities to see what security points we may be missing that I can gleam from those who’ve gone through these ordeals).
The big worry I’ve been seeing from other postings online is that the contents of the email sent fraudulently by the hackers may have true bits - about insecure servers, shared root passwords, et cetera. If so, although the hackers didn’t do anything, possibly, it’d still represent some massive vulnerabilities.
On the other hand, entirely possible it’s just the hacker(s) making stuff up. We shall see when browserstack tells us?
Wow, that was far more detail and transparent than I would have expected. To me it sounds legit and that they aren’t trying to hide or miss-guide anyone to believing the problems were less than they seemed.
Very good for them for detailing the event to the extent they did. It’d make me feel better about continuing to use them.
I bet there’s a security / ops guy at BrowserStack who’s feeling thoroughly vindicated. Sounds like they’ve got a strong production system, but it’s a reminder that you’re only as secure as your weakest link.