On July 9, 2015, our engineering team detected a security incident whereby an attacker gained unauthorized access to our users’ names, email addresses, public calendar feed URLs, and hashed, salted and peppered passwords. We realize the sensitivity around of this type of event, and will work with our customers to address any concerns they may have.
Within hours of the start of the intrusion, we were able to detect and remove the attacker, and shut down the attack. We also notified law enforcement and retained a leading cyber security forensics firm to help with our investigation and remediation. Based on the investigation, we have found no evidence that corporate, technical, financial, or sensitive end user information, including phone numbers, was exposed by this incident. We protect our customers’ passwords by hashing them with a salt and pepper.1 We have found no evidence that the attacker gained access to the pepper.
We consider the security of our customers’ information paramount, and have taken several steps to further harden our systems. While we are confident in the strength of the protections used to secure users’ passwords, as a precaution we are asking our users to set new strong passwords at this time. Users that do not reset their password by Monday, August 3rd at 12:00pm Pacific Time will be automatically logged out of the website and will receive an email prompting them to reset their password. At no time will alert delivery be affected by this process.
We also recommend that customers reset calendar feed URLs and revoke and re-add access to any mobile devices linked to their PagerDuty account.
We realize that an attacker might use email to conduct a phishing attack, so we urge you to be vigilant in protecting your identity online. PagerDuty will never ask for your password or other sensitive information via email.
I have been personally involved in our response every step of the way. We value your trust and confidence in our company and we strive to meet the high standards we set for ourselves. I take this event as an opportunity to review and enhance our security, and remain committed to strong internal security practices and processes.
We apologize for this incident. If you have questions, we have published a blog post with more details or you can contact us directly at email@example.com.
Thank you for being a loyal member of the PagerDuty community.
Co-founder and CTO
On July 9, 2015、って、今日31日ですけど、発表遅すぎないですかね
Important Security Announcement From PagerDuty