Basecamp successfully blocked an hour-long credential stuffing attack targeting its platform on January 29, with only around 100 out of the company’s advertised user base of approximately 3 million accounts being affected.
CTO David Heinemeier Hansson announced in a blog post on the company’s website that the attack was detected at 12:45 PM central when a huge increase in the number of logins was detected by the ops team.
The assailants made approximately 30,000 attempts to access Basecamp accounts over the duration of the attack which kept going for roughly one hour, from a large range of IP addresses.
The IPs used during the attack were blocked to slow it down and, eventually, a CAPTCHA system was enabled to effectively put an end to it.
Once the incident was successfully stopped and the dust settled, Basecamp’s team logged out and reset the passwords for all of the 124 accounts which were successfully breached, and emailed the customers who had their profiles accessed following the incident.
All of the unauthorized access was gained using the correct username and password for the account. It’s highly likely that these credentials were obtained from one of the big breaches, like those collected in combos like Collection #1, Anti Public, or Exploit. All the affected accounts showed as “owned” on haveibeenpwned.com.
Also Read: Expired Domains New love of hackers
While Basecamp’s proactive response to the attack and their follow-up disclosure of the ensuing security breach is praiseworthy, this security incident stands as a witness to the dangers stemming from major data breaches that can lead to huge collections of credentials such as the 87.18 GB Collection #1 one discovered during mid-January being easily accessible.
Stolen credentials are cheap and readily available
That data breach collection comprised 773 million unique email addresses and their associated passwords, and, as discovered later, it was only a small part of a much larger 993 GB one which was available for sale for only $45 and contained credentials in the email: pass, user: pass, or number: pass format.
Basecamp’s mass-login attack report follows the one issued by Dailymotion on Friday, announcing that some of the platform’s accounts were the target of a credential stuffing attack. The video platform’s ops team was also able to detect the unauthorized login attempts and stopped them although the attack went on for at least six straight days.
Users of online platforms can stay safe by never using their passwords on more than one service, using a password manager, and turn on two-factor authentication (2FA) for all services that support it.
Users should also subscribe to notification services such as Troy Hunt’s haveibeenpwned to be alerted in case one of their accounts is part of a security breach.