Important Security Announcement from PagerDuty

Andrew Miklas wrote in a comment: <i>The attacker gained unauthorized access to an administrative panel provided by one of our hosting providers.</i><p>There have been several breaches in the last months where this was the main cause and it&#x27;s something almost impossible to defend against – unless you&#x27;re running your own datacenter hardware, which is very hard to get right.<p>Few providers properly secure their control panels with 2FA, even though these admin panels are an attractive target and almost always provide full access to the system.

&quot;Both our salts and pepper are 40 characters in length and are randomly generated.&quot;<p>From their CTO (on Disqus in response to my question):<p>&quot;The salt, pepper, and password were concatenated together to form the string that was in turn passed to the hashing function.&quot;<p><a href="http:&#x2F;&#x2F;3v4l.org&#x2F;cE359" rel="nofollow">http:&#x2F;&#x2F;3v4l.org&#x2F;cE359</a><p>40 + 40 + strlen($password) &gt; 72<p>Uh-oh.

I appreciate the level of detail that PagerDuty went into with this announcement.<p>I presume they wanted to have all of the facts before they notified customers, but it is totally unacceptable that they waited 3 weeks to notify me about an incident with confirmed external intrusion and confirmed theft of customer data (including my own).

It took them 21 days to announce this? It&#x27;s a in-depth post and kudos to them for that, but I&#x27;d also like to know _when_ the actual intrusion was (on July 9th when they detected it? Months before?)

This is why PagerDuty needs a decentralized solution for customers. If products like Chef can have both Hosted Chef and Chef Server and Atlassian can have both both Hosted and Self-hosted options there&#x27;s no reason they can&#x27;t have the same so you don&#x27;t have to put your employees potentially sensitive on-call and server incident alert history in one basket.

I&#x27;m happy with OpsGenie [0] - not so expensive, fully-featured, and now - safer compared to the overpriced PagerDuty. OpsGenie first implemented push notifications while PagerDuty was relying on people not knowing the competitive landscape and had a web-based Android app with SMS for years. OpsGenie innovates now and PagerDuty follows. Research and don&#x27;t go with the flow!<p>[0] <a href="http:&#x2F;&#x2F;opsgenie.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;opsgenie.com&#x2F;</a>