We’re currently investigating a security incident on our Ankara server. A third party obtained access to the server over the weekend and we believe they were taking steps to do something nefarious with our server. They gained access through our hosting provider, not through an exploit of one of our servers. We believe this was an opportunistic attack against an exposed service, not a targeted attack against our network. Their actions triggered automated checks that led to our team discovering the intrusion and shutting the box down until we could investigate further.
As a result of this incident we are requiring all users belonging to organizations that have added Ankara to their account to change their passwords within the next 7 days. Passwords not reset within that time will be reset, and you'll need to use the forgotten password feature to log in again.
Affected users should change their password (and are being emailed directly).
What we believe the attacker accessed:
- Nothing. Logs show the attacker installing new tooling on the machine, likely to use it to launch attacks against other servers.
What the attacker could have accessed:
- The username and hashed password for every user with access to Ankara, as well as the list of all whitelisted IPs for those users.
- Two days of proxy access logs (August 2 - August 4 UTC), including username, accessing IP address, remote server hostname/IP, bytes transferred, and for HTTP connections the full URI to the resource.
- VPN access logs (from the same time period, including the time connected, time disconnected, and bytes transferred.
If you have any questions or concerns please reach out: firstname.lastname@example.org
The standard Proxy-Authorization header passes usernames and passwords in plain text. We’ve been evaluating adding support for Digest authentication which uses MD5 hashes. ↩︎
For customers using SSO this would only be their WonderProxy password, not their identity provider (e.g. google, or outlook) password. ↩︎