Emsisoft Data Breach - Incident report

[Minimalist]

Today, February 3rd 2021, at around 15:20 UTC, we became aware of a data breach on one of our test systems. We used the system to evaluate and benchmark possible solutions relating to the storage and management of the log data generated by our products and services.

Incident report

Today, February 3rd 2021, at around 15:20 UTC, we became aware of a data breach on one of our test systems.

blog.emsisoft.com

 

[upnorth]

Unfortunately, due to a configuration error, one of the databases was accessible to unauthorized third parties from January 18th 2021 to February 3rd 2021. We have reason to believe that at least one individual accessed some or all of the data contained within that database.

The stolen data in question consists of technical logs produced by our endpoint protection software during normal usage, such as update protocols, and generally does not contain any personal information like passwords, password hashes, user account names, billing information, addresses, or anything similar. However, as part of the investigation, we noticed that 14 customer email addresses were part of the scan logs due to detections of malicious emails stored in the users’ email clients.

Pretty bad news, and Emsisoft doing the right decision to disclose the breach and bite down on the " sour lemon " that will hit them for sure. Personal I wonder what database this was. I wouldn't be super surprised if it's a damn Elasticsearch again.

 

[Cortex]

Quote:
'The cherry tree myth is the most well-known and longest enduring legend about George Washington. In the original story, when Washington was six years old he received a hatchet as a gift and damaged his father’s cherry tree. When his father discovered what he had done, he became angry and confronted him. Young George bravely said, “I cannot tell a lie…I did cut it with my hatchet.” Washington’s father embraced him and rejoiced that his son’s honesty was worth more than a thousand trees'

 

[dinosaur07]

I don't even want to hear that they were hit by some ransomware of any kind. That would be disastrous.

 

[Andy Ful]

It seems that such attacks are pretty common nowadays. For example, the below large security firms were successfully attacked in 2020/2021: Microsoft, FireEye, SonicWall.

 

[DDE_Server]

It seems that such attacks are pretty common nowadays. For example, the below large security firms were successfully attacked in 2020/2021: Microsoft, FireEye, SonicWall.

But what is the common between these attacks to assume it is the same group behind them ?? however all this attacks was mainly for something like say not for profit such as ransomware or any other data breach for large financial institute ?

 

[Fabian Wosar]

This wasn't a targetted attack. Based on the results of our internal investigations, we are pretty confident that this was an automated attack and not specifically targeted at Emsisoft. Also, our traffic logs indicate that only parts of the affected database were accessed and not the entire database. However, due to technical limitations, it’s impossible to determine exactly which data rows were accessed. So we continue to assume that the 14 rows that contained private information about users were accessed.

 

[Andy Ful]

If I correctly recall, another Microsoft breach in December 2019 was also accidental due to the misconfiguration of an internal customer support database used for Microsoft support case analytics. They also claimed that there was no evidence that cybercriminals accessed the exposed database, but who knows the truth?

• December 28, 2019 – The databases were indexed by search engine BinaryEdge.
• December 29, 2019 – Comparitech researcher Bob Diachenko discovered the databases and notified Microsoft.
• December 30-31, 2019 – Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.

 

[MacDefender]

This wasn't a targetted attack. Based on the results of our internal investigations, we are pretty confident that this was an automated attack and not specifically targeted at Emsisoft. Also, our traffic logs indicate that only parts of the affected database were accessed and not the entire database. However, due to technical limitations, it’s impossible to determine exactly which data rows were accessed. So we continue to assume that the 14 rows that contained private information about users were accessed.

Thank you for your transparency. Data breaches suck and it seems like, thanks to your industry leading privacy practices, Emsisoft didn’t have a lot of personal info stored in the first place. This is the most humble and responsible way a company can handle this kind of incident.

 

[Marko :)]

TBH even if they did had some serious data breach, I'd still trust them. I was using their product for 1 year (when I had license for it) and they gained my trust in that period. Also, being privacy-oriented and transparent company is huge plus from my side.

 

[show-Zi]

When a failure or a problem occurs, what kind of post-processing does a company do and what kind of response does it take?

I think it is quite important not to make mistakes in those responses. Companies that cover up inconvenient things lack credibility.
I am convinced that emisi made the right decision by announcing this matter to the public at an early stage.