Obviously, this is a very disappointing situation for us -- we've always taken security very seriously since day 1, it's something that's been core to who we are from the beginning.<p>That said, how you respond in this situation can be just as important, and so we are making sure to be incredibly proactive in addressing the situation & transparent in how we communicate the details with our customers. Our top and immediate concern has been our users and the safety of their accounts.<p>A few days ago we became aware that an unauthorized party obtained email addresses/usernames, last login IP addresses and bcrypt hashed passwords for a large number of customers (anyone who signed up prior to March 1 of this year).<p>At this point we do not have evidence of any customer website/account being improperly accessed. It's also worth noting that we do not store any full credit card numbers on Weebly servers, so any credit card information was not part of this incident.<p>We immediately starting working on taking steps to notify our customers, and were able to get this out in a matter of a few days. We're initiating password resets as of this morning, and we've also made several improvements to the application including new password complexity requirements and a new dashboard that gives customers an overview of recent log-in history of their Weebly account to track account activity. We also increased our bcrypt work factor from 8 to 10, and all passwords will be automatically upgraded as of the next time a user logs in.<p>We've hired an incident response firm who is working with our internal team to complete a full investigation. In the meantime, we're examining our stack top to bottom and taking many steps to enhance our network and application security. This is an area we take very seriously and we'll be putting in tremendous effort to ensure this doesn't happen again.
Responsible disclosure and proper handling of passwords as well as not storing credit cards. Barring no breach at all, this is about as well as something like this can go.
Every time when this happens I ask myself only one question.<p>What about all those hacked servers that we don't know that are hacked yet?<p>There are ( and I'm pretty sure ) lots of hackers that do this on a daily basis, but don't try to do anything malicious on a large scale ( like dumping the whole db of customers, DDoS, etc. ). They probably target medium-large or small companies' servers, put a backdoor there and analyze. Either stealing some business secrets or leave it like that for one of the dark days when some political-corporate person will need their help.<p>Having the whole human knowledge on the palm of my hand made also our own lives public-knowledge.
More details and background: <a href="https://www.leakedsource.com/blog/weebly/" rel="nofollow">https://www.leakedsource.com/blog/weebly/</a>
I really like Google's Recent Log in Activity and Location. So anyone logging into your account from a Different location, you are automatically notified. But one of the problem with this is that once hacked, it exposed your location as well.<p>2nd thing is 2FA. I hope 2FA becomes the standard for all login. Even SMS. ( I know SMS is not save in US, but I am not sure if similar can be said in EU or Japan )
I wonder if the hacker really interested in decoding credential or they just want to collect the email addresses which is really valuable for email marketing.
I have talked to a number of current and former Weebly employees trying to convince them to use things like hardware token based 2FA, hardened servers, hardened workstations, and strong end to end encrypted password management that can't be trivially decrypted from a private key stolen from memory. I had such things written off as being too paranoid when they are too easy -not- to set up.<p>I was not at all shocked by this headline.<p>I don't want to just single out Weebly here as I discuss these sorts of things with people at different companies all over the bay out of personal interest and anything harder than using something like lastpass to reach production systems is considered too much work. Honestly Google and Facebook are the only large companies I have seen deploy fairly decent security practices out of the dozens I have exposure to. I credit this to the fact the employ teams people who have the specific job of continually auditing and enforcing all available security tools on their systems and fostering a culture that security is everyone's job.<p>You will pay for security either way. Either up front paying teams of capable people, or in lost customer trust after the fact.<p>Security apathy in the valley is a cancer impacting companies of all sizes. Sure you can't make anything perfectly secure, but you can at least force your attacker to burn a 0day. Don't make it as easy as spoofing an email and getting an employee to click a malicious link.<p>If you have any sort if privileged access to PII data of your customers and are not even doing basics like using hardware tokens to gate your server and db access you are one keykogger or XSS away from a serious breach. If you know how to set such things up and still don't do it, you are additionally a terrible person.<p>At the very least the data required to readily plaintext the passwords is not public in this case which is a lot better off than companies using only simple hashing like md5. Some credit is due here for sure, but I can't help but strongly suspect the issues here and in now countless other orgs are a result of people having access to PII that don't really care about security or respect the privacy of the user data they are responsible for.
And here I am, trying to apply for a Senior position there [1].<p>[1] <a href="https://news.ycombinator.com/item?id=12752642" rel="nofollow">https://news.ycombinator.com/item?id=12752642</a>