Authereum Incident Disclosure
On Saturday, October 3rd, 2020, we detected a scripted attempt to log into a number of Authereum accounts. No user funds were lost or moved during the incident and the Authereum contracts and peripheral systems are and have been behaving as expected. We believe the attacker used a list of emails and passwords they obtained from other compromised websites to access or attempt to access Authereum accounts.
Shortly after the incident began, we put the Authereum servers in maintenance mode while the threat was assessed. Less than six hours later, we pushed updates to provide additional protections for potentially compromised accounts. These updates were made, tested, and deployed to prevent the attacker from taking further action. Thereafter, maintenance mode was disabled, and users were able to resume logging in.
To prevent future instances like this, we have made a number of updates to our system. Going forward, we will:
- use a reCAPTCHA for user logins in order to prevent scripted login attempts
- require email verification for logins from unknown IP addresses and devices
- employ stricter rate limiting rules to numerous public-facing backend endpoints
- monitor additional systems for suspicious activity
Authereum places security at the forefront and prioritizes account safety. We have various security measures in place for preventing malicious actors from gaining unauthorized access to accounts and we are actively improving security by consulting with security experts. Our web applications and backend services have been audited by Cure53 and our smart contracts have gone through multiple rounds of audits.
We will never ask you to provide us with your password, private keys, or backup recovery phrase. Please try to use a strong password on any website you visit and set up two-factor authentication on your Authereum account!