If you’re a former GetActive client [UPDATE 11/5/2007]: (and you were unlucky enough to have your Convio system hacked), you might have just received an e-mail that reads like this:
Convio has identified a security attack against our GetActive software systems that has resulted in your constituent data being accessed by an unauthorized third-party. We take this attack very seriously and are committed to working with you to minimize the impact on your organization and your constituents. The third-party sought to download email addresses and, in some instances, member passwords. There was no loss of credit card data. We are confident that this is the extent of the breach:
Only certain clients on the GetActive software platform were affected. No clients using the Convio software platform were affected.Unauthorized downloads of email addresses and member passwords were conducted against 92 GetActive clients, including your organization. Preparations for similar downloads were made against an additional 62 GetActive clients, but were not executed and did not result in data loss.
The breach occurred between October 23 and November 1, 2007.
We discovered the breach late in the day on November 1, and worked through the night and all day on Friday to make sure we understood fully the severity and how to help you through the situation.
The attack was carried out by an outside party who temporarily gained limited access to our systems. As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft.
We are notifying you and all other affected clients, as well as those that were not affected so that they understand the situation. We are working over the weekend to provide further information and support and will update you on Monday with the latest information.
What you should do next
We recommend that you notify those constituents with user-created passwords that may have been disclosed. Some of these individuals may use the same email address and the same password with multiple online service providers. Notifying these members will help protect them against compromise of their other online accounts. At the bottom of this message you will find a sample email we have prepared.Members with user-created passwords are a subset of your full email list. To help your organization communicate with these individual[sic], we have provided a query within your dashboard that can be used to identify this segment of your list. Additional instructions for your GetActive platform administrator are provided below. Please feel free to contact your account manager, who is aware of this situation and will be available to provide support and further updates.
We will provide further guidance about whether we recommend additional notification regarding disclosures that involved only email addresses and any additional updates on Monday. At that time, we will also provide you with a dedicated 800 number and Web page to provide ongoing updates.
Security breaches are bound to happen and Convio did the right thing in notifying its clients as quickly as it could. There’s an additional web site that offers advice to your constituents at http://www.convio.com/onlinesecurity I’m seeking more details from Convio regarding some items that cropped up in the e-mail. My questions are:
- There was an outside firm that notified Convio of the breach. What does that company do? E-commerce? Hosting? Networking?
- Also, do you have technical details on how this was done? Was it a social engineering attack, XSS or some other method?
It’s too soon to get more details out but I had to break this news so that you former GetActive clients can start communicating with your constituents.
Loading ...
Thanks, Allan! I’m a GetActive client (at Fellowship of Reconciliation) and I hadn’t seen this notice at all.
No problem, Ruby. It’s probably a good thing that you didn’t get the e-mail, Ruby. The e-mail was sent out only to orgs Convio thinks were affected by the breach. I would probably try talking to Convio first before notifying your constituents.
Just got an e-mail from Sheeraz (in response to my comment here) saying we were not among the impacted clients. Whew!
We apologize for any confusion. We have confirmed that all the clients who were affected have been notified. The email below was sent to those that were not affected, but we realize not all of them have received or seen that email. At this point if you have not been notified that you were affected that is positive. Your account managers have been working around the clock this weekend to help your peers and will be available tomorrow if you have questions. We’ll resend to the unaffected organizations in the next couple hours to help alleviate any concerns. I am Convio’s Director of Corporate Communications.
Dear client,
Convio has identified a security attack against our GetActive software systems that has resulted in constituent data for 92 clients being accessed by an unauthorized third-party. Your organization was NOT among those affected; however, I wanted to communicate directly with you so that you are aware of the facts about the breach. In all cases there was no loss of credit card data. We are confident that this is the extent of the breach:
Only some clients on the GetActive software platform were affected. No clients using the Convio software platform were affected. Once again, your organization was NOT one of those affected.
Unauthorized downloads of email addresses and member passwords were conducted against 92 GetActive clients. Preparations for similar downloads were made against an additional 62 GetActive clients, but were not executed and did not result in data loss.
The breach occurred between October 23 and November 1, 2007.
We discovered the breach late in the day on November 1, and worked through the night and all day on Friday to make sure we understood fully the severity and how to help our clients through the situation.
The attack was carried out by an outside party who temporarily gained limited access to our systems. As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft.
We are notifying all affected clients, as well as you and the other clients that were not affected so that they understand the situation. We are working over the weekend to provide further information and support and will update you on Monday with the latest information.
Please feel free to contact your account manager, who is aware of this situation and will be available to provide support and any further updates. We will provide further guidance and or information in the coming days. Thank you for your support and trust.
Regards,
David Crooke, Convio’s CEO, wrote an article about security in 2004 where he said:
“The only truly safe solution is both simple and bulletproof: Do not store credit card numbers at all.”
Is this still the case with Convio or have things changed since then?
This is Eileen Bayers, VP of customer relations at Working Assets. We notified our users of the breach last night. (and that was our political director at Kos). Here’s some of the information from that notice:
“Your email address and password for managing your ActForChange and WorkingForChange subscriptions were obtained by an unauthorized third party. Please note that the database holding account information related to Working Assets long distance, wireless and credit card accounts was not affected.
There is potential for misuse of this information however, should you use the same email address and password on other personal accounts, whether Working Assets products, banking, PayPal, Amazon, etc.”
Does this mean that GetActive was storing user passwords in plain, unencrypted text? That is somewhat shocking to me.
I wonder if they just stored the passwords using an easily breakable MD5 hash. It’s enough to keep people’s passwords private from casual snoopers but not really determined identity thieves.
I believe they are storing passwords unencrypted. They have a “feature” which will send you your password in an email if you forget it. Such a feature is only possible if passwords are stored in plain text.
As customers of GetActive, we should demand that in the future they store passwords in an encrypted format and instead of sending users their old password, instead reset passwords to a randomly generated password in case a user forgets, and send that random password in an email.
Encryption isn’t 100% security, but it is pretty good, and a hell of a lot better than just storing things in plain text.
Oh boy, that IS bad isn’t it? I didn’t realize GetActive did that for users and that makes sense since the e-mail warning was sent out only to GetActive customers whose users were allowed to set their own passwords. That’s a pretty large security hole.
I wonder how many users were affected by all of this.
In reply to Aran and passwords stored in plain text, that is not always true. There is a method of storing passwords with salt that allows you to get an encrypted string back if you have the right key for the string.
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
This is still not a great way of storing passwords though.
In reply to Kyle, for Convio to send you back your original password, they have to either store them in plain text or use a two-way encryption algorithm. One way encryption (like MD5 and the venrable CRYPT) should be harder to break than 2 way encryption. Even then, brute forcing passwords is pretty trivial, see http://www.codinghorror.com/blog/archives/000949.html
Of course, this is total conjecture but even if the passwords were salted, what if the private salt was stored on the same server as the passwords and the compromise was big — like the actual loss of that server to the bad guys? That would be the perfect storm for Convio. The CI Host break-in would fit that scenario the best. Convio denies this and we don’t have an easy way of verifying this but the security breach took place three weeks after that CI Host break-in. It’s all circumstantial though.
I can tell you for sure that passwords are stored in plain, unencrypted text. We have had quite a few members complain about this. It’s disheartening to know that there’s nothing we, as clients, can do to protect our members….other than change vendors, which we don’t want to do.
With the upcoming forced migration to the Convio platform, does anyone know if the Convio platform uses encrypted passwords?
Hi all, you are more than free to not use your real names when responding in comments. And put in fake e-mails if you want to as well. I would like you all to start dishing about these kinds of issues with vendors such as Convio and Blackbaud. I would have certainly tried to warn people about unencrypted passwords at Convio if this had been the case. And of course, you’re more than welcome to do so yourself. Dish dish dish!
Thanks for the link to that Coding Horror article.
In the comments was a link to an interesting discussion about another company’s decision to store passwords in plaintext to preserve the “email me my password” funtionality.
http://reddit.com/info/usqe/comments/cuugl
I don’t think users would like this feature as much as many do, if they knew what was being sacrificed in order to provide it.
I will be very interested to find out if Convio has made the same data design decision.
Why were we (members of ACTFORCHANGE) not notified until late Sunday afternoon Nov. 4th if the attack was evident on Thursday the 1st of Nov? I would have to agree with the thought process that it should be a bit difficult for me to retrieve a forgotten or lost password if it means having it actually be a secure password and not the electronic equivalent of something lying around on the bosses desk, versus being locked in the filing cabinet, if not in the company’s safe itself.
This is Eileen Bayers again, from Working Assets/ActforChange. I appreciate your concern about the timing of the notification. Our email to customers went out within hours of the time we were informed of the breach by Convio. We understand the urgency of an issue such as this, and made it a top priority to understand what had happened, adn let our members know as quickly as possible. If you would like to reach me directly, my email address is ebayers at workingassets dot com.
We just got our notification today! Apparently quite late!
It looks like Salesforce.com that is another CRM provider was also broken into. They were broken in to after one of their employees was taken in a phishing scam that got his username and password. I don’t know if Convio and Salesforce are related at all and I’m poking around online to see if I can find more info.
This is the first notice I got, this evening at 10:45PST. Apparently they think they’ve notified me before:
Dear Brian,
To begin, let me thank you for your understanding and the many words of support both to me and to your dedicated team of account managers. We certainly understand the anxiety and frustration that have resulted from this incident, and we take it very seriously. I plan to provide you with regular updates on this incident to ensure you have the information you need to address its consequences within your organization as well as with your constituents.
We are still investigating the details of the intrusion, but we can share that the attack was perpetrated by an outside party commandeering the account of a Convio staff member. Working as an authorized administrator, the intruder was then able to access client data. We are working with the FBI and have hired forensics experts to help us undertake a complete evaluation of how the intruder was able to compromise the staffer’s account. We will share as much information as possible in the coming weeks.
We are implementing additional measures to strengthen our security. Below are some of the steps we’ve already taken:
Reset all system level account passwords and will reset passwords for all client administrative accounts,
Restricted administrative access to our systems to corporate IP addresses,
Scanned all systems for any remnants of the intrusion,
Revised security procedures across the company, and
Accelerated planned investments in additional technical and human security systems that will help reduce the risk of future breaches.
Below my signature we are providing a sample paragraph that we recommend you place into your normal communications. The information directs constituents to a Web site with consumer-friendly tips that help with this incident, but also provide more information to your constituents in helping protect their online privacy. That site is http://www.convio.com/onlinesecurity.
Beginning tomorrow at 12:00 p.m. (noon) Central, we will be staffing a toll-free number that you can provide to your constituents who might have questions. Please understand that the staff on the phone lines will be providing online tips to help make people more secure, not answering questions specific to your organization and technical detail. That number is 1-800-501-8193.
Our entire team is committed to your continued success — from the account managers and technical support team, to the executive team. We look forward to working with you through this challenge.
We will continue to provide you updates through your account management team and via appropriate email communications.
Regards,
Gene Austin
CEO, Convio, Inc.
——————————————————————————–
Sample communication to constituents/members:
As we continue our push into the digital age, we are seeing a not too surprising rise in phishing and other online scams as criminals migrate their schemes to the Internet. In light of the recent security intrusion against the company we contract with to provide online services, we are encouraging all our members to be more diligent about online security. For a list of tips and suggestions to ensure the safest possibly online experience, please visit http://www.convio.com/onlinesecurity.
Copyright 2007, Convio Inc. All rights reserved.
We respect your time and privacy. To unsubscribe from our mailing list, please click here. Review our Privacy Policy.
Convio is headquartered at 11400 Burnet Rd, Bldg 5, Ste 200, Austin, Texas 78758. Visit us on the Web at http://www.convio.com.
Having trouble reading this email? View as Web page.
@Kyle B., I believe the Convio and salesforce.com issues are unrelated. However, I would recommend trust.salesforce.com. That’s the future of vendor transparency. All our other vendors are pretenders to the throne for now.
as far as i know, i’ve never been a client of working assests. can anyone suggest why i would have been sent their security breach email notification? is there a list of convio clients that an average consumer/internet user might be able to identify a connection with?
Hi, this is Eileen from Working Assets checking back in. Our security notice went to everyone on our email list affected by the Convio breach. Our list included people who took actions on our actforchange site, subscribed to WorkingforChange newsletters, participated in our online voter registration programs, or signed one of our online petitions. There are some subscribers who haven’t participated for quite a while, and may not remember being part of our community. Please check out the link we sent to retrieve your password. Your password may have been generated by the system, but you can check to be sure it’s not something you use elsewhere. My email address is in a post above if you would like to contact me directly for more information.
@Eileen Bayers — Thanks, Eileen, for your participation in the comments thread. It’s great to see you being proactive here. However, there doesn’t seem to be a space on the Working Assets web site for users affected by the breach. I would expect that you would want to set one up?
Thanks. Yes, we sent a link to the page on our site to those affected - it’s at https://www.workingassets.com/Retrieve/SecurityFAQ.aspx. It’s also linked from our home page at http://www.workingassets.com as well as from our privacy page.
@Eileen Bayers — Thanks for your quick response! I also adjusted the URL in your comment so that it would link to the right place.
Thank you Eileen. It was a WorkingAssets site-generated password. Somewhere tucked in the breach notification is a short “for example” list of companies/websites that might be affected, amazon being one noted. Does anyone know if there is a definitive list?
No problem. We mentioned Amazon and a couple of other sites in our email as suggested places people might be using the same password they do with us. These sites were not affected by the breach. I don’t know if Convio has released a full list - we asked for it and were told they would not release it to us.
I am a working assets user and recieved this letter about the compromise of my data:
____________________
IMPORTANT NOTICE FROM ACTFORCHANGE
Dear Subscriber,
We regret to inform you that the company we contract with to provide online services, Convio, has identified a breach of one of their internet security systems. There was no breach of personally-idntifiable information or credit card data, but your email address and password for managing your Act For Change and Working For Change subscriptions were obtained by an unauthorized third party.
There is potential for misuse of this information should you use the same email address and password on other personal accounts (e.g, banking, PayPal, Amazon, etc.) Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:
* If this email address and password are used together on any other accounts, it is recommended that you change your password on those accounts and sites immediately. We recognize that this is an enormous inconvenience, but this step will minimize your security risk.
* Pay careful attention to emails you may receive requesting personal and financial information, and only provide it when you can confidently confirm that it has come from a trusted organization.
# Report any suspicious activity immediately to the account provider (bank, credit card, etc.) and to credit bureaus. We take your privacy seriously, and as a protective step have immediately deleted all passwords from the Act For Change and Working For Change website and subscriptions. This will not affect your subscriptions or site usage, and you will simply be prompted to create a new password when you go to manage your account.
Our vendor Convio has asked us to convey their deepest apology and assurance that security has been restored. If you have any questions or concerns, please feel free to call (800) 788-0898* or email customerservice@wafs.com.
Stephen Gunn
Vice President, Operations
Working Assets
* Customer Service Hours: Monday-Friday 5:00am - 7:30pm, Saturday 8:00am - 4:30pm PST
____________________________
I have sent 2 request for assistance to these email addresses and recieved no reply
____________________________
From Michael Hudson
to customerservice@wafs.com,
customerservice@workingassets.com,
date Nov 7, 2007 8:39 PM
subject SECOND REQUEST - Fwd: Important Notice: Security Breach
mailed-by gmail.com
Reply
———- Forwarded message ———-
From: Michael Hudson
Date: Nov 4, 2007 9:44 AM
Subject: Re: Important Notice: Security Breach
To: ActForChange , customerservice@wafs.com
I use this combination at over a hundred different sites including my financial institutions. I’ll need you to send someone out to consult on the scope and correction of the breach.
Michael Hudson
____________________
In 2006 my new years resolution was “nothing will go wrong in the world for lack of me “complaining” about it”. That year I signed almost 4000 online petitions and created accounts with this combination at hundreds of sites, including sites that might provide my personal financial info if they were logged into with this combination. I recieved notification of the compromise from http://www.freepress.net and http://www.workingassets.com.
Convio has not just screwed up a little here.
If I were to attempt to fix this myself it would take me a week to research all of the sites that I have user accounts at with the compromised information.
I can’t fix this alone and the silence from those who allowed the breach is unforgivable.
I am going to need someone to help me comb through almost a Gig of Gmails to identify every site I used that combination on and assist me with the changes.
Is the altruism of these sites limited to accomplishing your agenda and are you done with me now or are you going to do the right thing and repair this damage?
Michael, thanks for letting me know that you have not yet heard from us. We’re responding as quickly as possible to subscribers who have requested help to react to the Convio breach. I’ll respond via email to your concerns.
and Convio still isn’t talking.
I don’t think it makes a lot of sense for Convio to release that list. In fact, I would be horrified if I were a Convio customer and that they released the list. Affected companies should exercise their own particular policies towards a security breach on their own and not without Convio’s prodding. That said, it’s fairly easy to compile such a list after the fact if we can get affected consumers to complain on the Web about it.
Out of 92 companies, we know that Working Assets and CARE were affected. That’s a pretty low percentage of known companies. If anyone here knows of more, please post them to the thread.
You can add Freepress.net to the list. They provided me with this notification:
____________
On Nov 5, 2007 11:02 AM, Josh Silver, Free Press wrote:
free press: media is the issue
Dear Michael,
The company we contract with to provide online advocacy and messaging services, Convio Inc., has identified a breach of one of their Internet security systems by an outside party.
The breach was extremely limited in scope and affects less than 1 percent of our online activists; unfortunately, you may have been one of those affected.
Fortunately, there was no breach of personally identifiable information or credit card data. However, it is possible that your e-mail address and the password you use for managing your e-mail subscriptions with us were obtained by an unauthorized third party.
There are some steps you can take to prevent misuse of this information. If you use the same e-mail address and the same password for your accounts with other Web sites (e.g., Yahoo, Amazon, PayPal, your bank, etc.), we recommend that you change your password with those organizations as soon as possible.
We also recommend that you be on the alert regarding e-mail that appears to be from a brand-name organization and that encourages you to visit a Web site to provide personal and financial information. Please be assured that we will never ask you to provide such personal information in an email. You should delete any such email you receive.
We sincerely apologize for any inconvenience this may cause. We take your privacy seriously, and we are committed to protecting it. In the next month, we will be discontinuing use of the system that was breached and switching to a new technology platform we believe to be superior. We have also deleted your password from the system to prevent unauthorized access to your account.
If you have any questions or concerns, feel free to call us toll-free at 1-877-888-1533 or email us at info@freepress.net.
Thank you for your continued support.
Sincerely,
Josh Silver
Executive Director
Free Press. Visit your subscription management page to modify your email communication preferences or update your personal profile. To stop ALL email from FP - E-Activists, click to remove yourself from our lists (or reply via email with “remove or unsubscribe” in the subject line).
Eileen,
While the situation really sucks, let me say thanks to you & the rest of Working Assets for getting word out as quick as you could. I got your notice a day or two before I heard from the other groups with which I apparently had a password stored (unbeknowst to me).
I hope you’re all planning a huge lawsuit against Convio. The scale of this screwup appears to be massive, and it certainly seems like yuo & the other orgs affected have grounds for damages.
As Convio’s vague notification warns to be aware of any suspicious email from major corporations and suspeneded account notices, Pagoo.com might be affected. It’s weird. This little on-line phone answering service that I might now be the only subscriber since I still operate a dial-up connection (I have issues with being bullied into high-speed/dsl/cable from the only provider in my area), suspended my account without notice. I noticed. No deduction for the month of October. I looked into my online pagoo account to find it suspended. notified customer service and received a very poorly constructed response (bad grammar and typos). weird. they claimed they had notified me by email and that my credit card would not allow it to be charged. They suggested that I must have an email filter that blocks mail from them. hmm, funny how that email got through with no problem. My reply required them to contact me again. They have not. Can anyone else confirm this company to be affected or part of the problem?
Found this info (read below)…
With my password could they already be in your bank accounts?
What about your email accounts that contain things like Social security numbers, the hackers could email of my relatives/friends (asking for bank account numbers from your kids…)?
If my identity is or was stolen you can bet lawyers will get involved (BIG TIME).
I’m contacting my lawyer on Monday and having him make a call so we can find out the real truth on what was taken from the all those sites I visit.
I hate to see their partners get sued by this leak of private information but it could happen.
There should be a class action lawsuit if damages are indeed incurred.
IMPORTANT Read this…
While the hackers didn’t get my credit card number, they may have my email address and EV password. If I want to prevent misuse of this information, I’m supposed to change my password at my bank,credit card, PayPal, Yahoo, and online shopping sites like Amazonn.
Well, I didn’t use the same password. But if I had, for my email account, for instance, the hackers, in addition to the NSA, could now read my correspondence, could now write folks using my identity. I’d bet some folks do use the same password, especially those of us who fear our forgetfullness and want to KISS, i.e. Keep it Simple Stupid.
Just the news of the hacking doesn’t help instill confidence in those legislators who say they suspect that organizations are generating the letters rather than individual constituents. (more on that later. I need to go back and find the link, maybe from OMBWAtch) And worse, with the information the hackers have, they could, if they wanted, forge my name on a convivio-generated letter to my legislators.
Let’s say , for instance, the hackers are sympathetic to the positions of National Mining Association want to skew feedback on the current proposed rule to eliminate the stream buffer zone and thus stop court cases against mountaintop removal. What better instrument than a list of your probable opponents at Earthjustice, the Sierra Club, etc.
I am on the board of a not-for-profit in Miami that subscribes to TechSoup. TechSoup By-the-Cup just LAST NIGHT, Nov. 20, sent out in their standard email newsletter (by Convio/GetActive, I assume) the notice of this security breach. TechSoup’s motto is, ironically, “Technology served the way nonprofits need it.”
Are people who work for not-for-profits more likely to be clueless about security issues than the private sector? OR, are they just more honest? Is it possible that this sort of security breach is rampant in the private sector and just kept under wraps?
Yeah, I just reported on that at http://www.nonprofittechblog.org/techsoup-affected-by-convio-security-breach-too and so did Beth Kanter at http://beth.typepad.com/beths_blog/2007/11/security-update.html
Security breaches are unevenly reported in the private sector. They’re the wrong model to follow. Private sector companies should be following OUR example. Unfortunately, with the exception of Working Assets and maybe Convio, our behavior as a sector has been woefully inadequate in terms of addressing the need for transparency when it comes to security.
You might also want to check out http://www.nonprofittechblog.org/suggested-guidelines-for-nonprofit-disclosure-of-security-breaches so you can give those guidelines to the management staff at your nonprofit. Don’t sweep security breaches under a rug and think the problem is going away. You’re only helping out hackers who don’t want their activities exposed to the light of day.
There was a newspaper article in the Austin Statesmen (newspaper) stating this about Convio: “a consistently unprofitable software company that has racked up $46 million in losses”
I’m not sure how this company can think that anyone would invest when monies into them when they owe over $46,000,000.00 + (to VC’s) and haven’t made a cent in profit.
Plus, they are still adding $MILLIONS more each year to their debt, and that does not even consider the interest on the money.
“A consistently unprofitable software company that has racked up $46 million in losses”
After finding out this info, I would consider them consistently unsafe (in addition to unprofitable) as well.
This news could very well could be a recipe for disaster when the doors close and their clients are left with only the source code to run their webpages. Nice my passwords are in a hackers hands.
PS - I called their hack attack 800 number (800-501-8193) just to find out that no one would answer my call!
Pathetic.
Ummm, it’s Thanksgiving. When did you call?
Lord, don’t invest is all I will say.
There too many others companies that I would invest in first to even consider the idea. This would be extremely high risk and the return would come decades later if at all.
In other words, why not play the lottery with the same money, I honestly believe your odds would be higher.
I know girl scouts that have made more money one weekend (IE. A profit). If you invested the same about of money in children’s lemonade stands you be light years ahead of their profits (IE. NONE).
Hello, did the ongoing security breach end the IPO concept?
It looks like others in the space are way ahead on that idea anyhow. Looks like they will die off on VC money.
Common sense tells you it’s not going to fly with investors.
DEBT issues, security issues…
Everyone, please be aware that Convio is no longer offering an IPO. At this point, dead horses come to mind…