Last Thursday, we discovered that an unauthorized party accessed a database containing email addresses and hashed passwords for approximately 140,000 accounts. We've since closed the vulnerability, reset all affected passwords, and engaged a third-party security firm to audit our infrastructure end to end.
I want to be direct about what happened. A misconfigured access control on a staging environment allowed an attacker to reach production data through a path we hadn't tested. That's on us. Not on a sophisticated attack -- on a gap in our own process.
If you had an account with us before March 12, your email address was exposed. Passwords were hashed with bcrypt, which means they're extremely difficult to reverse, but we're requiring a reset anyway. You'll get an email with instructions today.
We're a 40-person company. We don't have a CISO or a dedicated security team. That's not an excuse -- it's the context for why this happened and what we're changing. Starting this month, we're bringing on a fractional CISO and moving to quarterly external pen testing.
I'm sorry. Not in the PR-statement sense -- in the sense that real people trusted us with their information and we didn't protect it well enough.
Click any paragraph to see the prompt that produced it.