Security Alert: Slack User Info Leaked

This morning we were alerted that scammers had acquired the email addresses of everyone who had joined our publicly accessible Slack group. This data breach impacts everyone who joined our publicly accessible Slack group before 9:23AM PT today, February 3rd, 2018. While we are still investigating the incident, we believe that it is best to share what we know now. We know that on two separate occasions, individuals were able to create API keys that gave them access to basic information for all members of our Slack group. We also have reason to believe that these API keys were used to scrape email addresses and that members of our community are being actively targeted by scammers.

As far as we can tell, 1,118 members of our community are impacted. The information that was exposed includes email addresses, user names, real names, profile pictures, last updated timestamps and timezone settings. We do not believe any passwords or any additional personal information was compromised. We sincerely apologize to all of our users who were affected by this breach. Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it.

Timeline of events:

  • Wednesday, November 15, 2017 an unauthorized user successfully created an API key for our Slack giving them access to download basic information on all members of our Slack community.
  • Wednesday, January 24th, 2018, a second unauthorized user successfully created an API key with identical privileges.
  • Saturday, February 3, 2018 at 1:54 AM PT, fake phishing emails were sent to several members of our Slack community pretending to be from another well known blockchain project.
  • Saturday, February 3, 2018 at 9:02 AM PT, we were notified by a team member that the targeted email addresses appeared to have been harvested from our Slack channel.
  • Saturday, February 3, 2018 at 9:23 AM PT, we discovered and disabled the default setting on Slack which permits any user to create an API key which allows for the harvesting of all members information.
  • Saturday, February 3, 2018 at 10:34 PM PT, we published this public disclosure of the incident and began notification to all affected users.

How it happened:

When we set up Slack in August last year, we made a conscious decision that we wanted it be to open it to the public. We believe that our community is one of the most important things we’re building at Origin and we wanted a place for our core team to collaborate beyond the constant chatter in our Telegram group. We’re a 100% open-source project and the vast majority of our team collaboration happens in Slack where everyone is welcome to join. Slack has become an important gathering place where we discuss the technology we’re building and coordinate on various initiatives between our core team and our growing community of contributors.

Unfortunately, Slack has some really dumb and insecure defaults. One of those defaults is that anyone who joins a Slack group is allowed to create an API key, and that API key is all you need to scrape the email address of every member in the group. While we sincerely believed we had everything locked down, clearly we missed one of the most critical settings possible. Shame on Slack. Shame on us.

Potential impact for users:

Affected users may receive spam or unwanted emails, and everyone should be on especially high alert for phishing attacks. This morning phishing emails were sent to some (but not all) of our Slack members purporting to be from another blockchain project called Republic Protocol. We have talked with the Republic Protocol team and have confirmed that those emails were phishing attempts, and not sent by anyone on their team. If you received one of those emails, please be cautious and do not click on them.

Screenshot of the phishing email received by multiple members of our community

While there’s no evidence that the leaked data has been widely distributed, it’s clearly in the hands of bad actors who are likely to send other phishing emails pretending to be from Origin Protocol or other well known blockchain projects. We want to remind our community to be suspicious of all emails, even if they appear to be legitimate and even if they appear to come from our official email addresses.

What we are doing to address this:

We immediately secured our Slack group to prevent data from leaking from Slack in the future and have banned both of the unauthorized users from our group. We are contacting all impacted users to inform them of the situation. We’ve also reached out to several other Slack communities that we’ve noticed are also vulnerable.

We’ve done a full audit of our SPF, DKIM and DMARC records and set them to the strictest possible levels. As a result, any email clients that support these standards (most of the popular ones do) should immediately flag or reject any emails claiming to be from originprotocol.com that were not sent from our designated IPs or digitally signed with our DKIM keys.

Scammers are already busy targeting our Telegram group with fake messages from imposter accounts. We talk about security every day as hackers are regularly performing penetration testing on our website and sending our team members phishing emails. We’re ramping up our defenses by adding more administrators to our Telegram group as well as creating automated tools to automatically detect and ban bad actors. We’re going to perform a thorough security audit to determine how this security failure happened and do everything we can to protect our community going forward.

Security reminders:

Every day, we hear about scammers targeting projects in this space and we’re reminded how important it is for all of us to remain vigilant. The stakes are high and we don’t want anyone in our community to be scammed. Here are a few important reminders for everyone in regards to our project:

  • All official announcements will always be posted or linked to from www.originprotocol.com.
  • We will never ask you to send funds via an email, Slack or Telegram message.
  • We will never ask you for your private keys.
  • Remember, emails can easily be spoofed. If in doubt, double check the authenticity of a message via another channel.
  • Always double check the domain! Our official domain is www.originprotocol.com. Remember, scammers are likely to setup phishing sites that look identical to our official website.
  • Please report any phishing attempts or suspected security issues to our team immediately. You can always securely message me on Keybase.

Our team is still actively investigating this issue, but we wanted to share all relevant information as soon as possible. If more information surfaces we will update this post and share any updates directly to users. We take security very seriously and want to apologize again for this unacceptable breach of your trust.

Thanks to our core contributor, Mohamed for alerting us to this issue.

Learn more about Origin: