Security: Data Breach & Old Password Expiration

Shield-Header-Lg

Dear Eyewire community,

We recently experienced an accidental data breach when one of our staff’s laptops was stolen at a conference. For your protection, we request that you take the following precautions, and apologize for any inconvenience.

1) When you log in next, Eyewire may tell you that your password has expired. If you see this message, you must reset your password to play again.

2) If you do not receive the expiration message, resetting your password is optional.  Resetting is recommended as the safer course of action.  Ideally you should also reset your password on any other site that shares the same password. (Though in general it is a bad idea to use the same password on multiple sites.)

3) If you happen to receive any email asking for your password or financial information, this is not from us.  Do not release your information, and please report the incident to support@eyewire.org.

We think it unlikely that your password was exposed by the breach, but are nevertheless recommending precautions (1) and (2) to be safe. Your email address, chats, and IP address may have been exposed, which is the reason for precaution (3).

What happened?

On Feb. 11, 2016, an Eyewire staff member’s laptop was stolen. This laptop at one point contained a copy of the Eyewire database dating to sometime in mid to late 2015, which was intended to be used for basic statistical analysis. The encrypted passwords were deleted.

The circumstances of the theft seem incidental to the fact that data was on it. Other items were stolen, which might mean that they don’t have the sophistication to look for this information. However, it’s possible they could sell it to someone who does.

What does this mean for me?

There are a few ways that this information could be exploited.

  1. Doxxing – If your username, email, or IP address could be used to link your identity to other services.
  2. Phishing – Scammers could send you an email that looks like it came from Eyewire HQ and attempt to get your password or credit card information. Eyewire staff will never ask for your password or credit card information by email. Check the URL bar to ensure that if you are at an official eyewire site or store before entering credit card information and report any suspicious circumstances to support@eyewire.org. If you are logging into Eyewire, our login page URLs will always begin with https://eyewire.org. Please check that there is a secure connection by noting the ’s’ at the end of https.
  3. Combining with other available information – If other information, such as a password, was unveiled in a breach of some other organizations’ data and linked to your username or email, it could be combined with this information to generate a more complete record.

There might be other avenues of attack that we are unaware of. Some Facebook login users have their email saved on our servers, in which case they would be affected.

What is Eyewire doing about this?

We are taking this data leak seriously. You put your trust in us when you give us your credentials, and we do our best to earn it. We’ve let you down in this case, but here’s what we’re going to do to prevent further incidents:

  1. Pursue the theft with the relevant authorities. We’ll let you know if the laptop is recovered, though that’s no guarantee that a copy wasn’t made of its drive.
  2. Institute internal controls. While most of the data in Eyewire isn’t sensitive, the little we do have needs to be protected. Effective immediately:
    1. Database information resident on anyone’s personal machine must be logged and sanitized by a technical staff member. If any sensitive information is required, it should be destroyed as soon as practicable. Most of the time, we don’t keep any data on our machines, it only lives on our servers.
    2. Any Eyewire staff member that handles other people’s information must ensure their computer is password protected and its hard drive is encrypted.
  3. SHA1 legacy passwords have been deleted. On Friday, Feb. 12, 2016, we deleted all legacy password hashes from our live database. If you are affected by this expiration, you’ll have to follow the password reset process. After over a year, it seems likely that most people interested in Eyewire would have signed in again so there should be minimal disruption.
  4. Continue to discuss the importance of secure data handling internally. We will conduct a post-mortem and ensure everyone understands the implications of this incident and how they can help prevent it from happening again.

We may make other changes to our security procedures as well.

Password Expiration

As of September 19, 2014, we started using a more secure, industry standard, password hashing scheme called BCRYPT. Your passwords are always securely encrypted, we never store the raw password you send to us. We have expired the passwords for users who haven’t played since September 19, 2014. You’ll have to reset your password the next time you log in.

While we believe that your passwords were not exposed, we recommend changing your password at Eyewire and any other accounts you have that might share it. You can change your password by entering your email or username on https://eyewire.org/login and clicking the “Forgot?” button. You’ll then be sent an email containing a link to reset your password.

Players with Facebook login would not be affected as the password mechanism lives on Facebook’s servers and we currently do not save access tokens that might allow us to pull additional information.

In Conclusion

We apologize for any inconvenience or adverse events you may experience as a result of this data breach, and we pledge that we’ll do better in the future. Thank you for your continued support.

Sincerely,
William Silversmith, Chris Jordan
The Eyewire Development Team & Eyewire HQ

Update 2016-02-25: If you would like to delete your account, please email a request with your username or email from your linked email address to support@eyewire.org

Leave a Reply

Your email address will not be published.