Fake Email to Clients – Updates

PureVPN Oct-06-2013 Comments: 0
PureVPN - Logo
  • CevherShare

#Conclusive Report

 

Dated: October 13th 2013

Dear All, 

We are now announcing the conclusive investigation report of the unfortunate incident that took place on October 6th, 2013. Please read the full text of this report below:

Dear PureVPN Clients,

We would like to start by accepting complete responsibility for the unfortunate incident that happened on October 6th, 2013. As one of the biggest VPN provider, PureVPN combats all sorts of malicious attacks and cyber crimes in its' various forms. Our hard working staff is at work 24 hours a day, 365 days a year with a mission to defeat what's bad for millions of innocent internet users world over. Unfortunately, there are times when the bad, thanks to the zero day exploits, gains some upper hand to be able to momentarily disrupt those hard efforts. Hard reality is that, this war between the good and the bad is never ending. Our friends at Google, Apple, Microsoft, Adobe, Facebook, Twitter and others despite having best resources at their disposal all face such short lived defeats but only to grow stronger. Now it's our time to grow stronger.

Our engineers and the security team have worked round the clock, extensively auditing all systems, during the past 8 days to bring this conclusive report out today to our valued users. Although the fix for what was obvious was applied within a few hours, we kept on investigating for the root cause which we hereby present to our valued users.

On 4th Oct 2013 the hacker, using a Romanian IP address was able to exploit a bug in WHMcs, the 3rd party billing and ticketing solution that we use on our website, and ran several SQL injection queries to compromise a few tables including "tblclients", "tbladmins" and "tblconfiguration". The hacker obtained users info (mainly name and email) including hashed passwords (i-e not in a readable form but in an irreversible encrypted form) but obviously couldn't compromise the sensitive billing information (Credit Card or PayPal information) as it's NOT stored on the on-site database. User passwords are also stored using MD5 + (salt) encryption which is essentially irreversible. Although not an imminent threat we encourage our users to reset their passwords as a precautionary measure.

The hacker, knowing that (s)he got a short time window, was not able to compromise the complete users database rather when (s)he reached approx 70,000 clients (s)he moved on to the mass mail stage. Using the same exploit the hacker was able to compromise our SendGrid account access information, the 3rd party SMTP we use for transactional emails, which is stored in WHMcs in the same database (tblconfiguration). After illegally obtaining Email IDs and our SMTP account credentials, the hacker accessed our SendGrid account, imported the Email IDs, created a newsletter and sent the fraudulent mass mail on 6th Oct 2013 at 10:26 HKT (GMT+8).

Further and thorough audit on our VPN systems has confirmed that there was absolutely no breach on the VPN network and throughout the incident our VPN service continued to operate securely. No technical usage data was compromised and since we do not store users activity logs, our users are hereby assured of full anonymity and security throughout.

We have learned several of our mistakes and have started taking measures immediately to prevent this from happening again in the future. As a token of our continued commitment to our clients, we are offering compensation. Details of the compensation are as follows:

  • Affected clients who have subscribed for Annual subscription will get 5 weeks of free service.
  • Affected clients who have subscribed for Semi-Annual subscription will get 3 weeks of free service.
  • Affected clients who have subscribed for Monthly subscription will get 2 weeks of free service.

If you are an affected user and haven't received the compensation email, kindly create a support ticket here after logging into your Client Area.

Again, we accept complete responsibility for what has happened but we are determined to continue our fight against the bad. The war will go on.

Sincerely,

 

Uzair Gadit, Co-Founder,

On behalf of The PureVPN Team.

 
 
#Update 3

Dated: October 7th 2013

 

This is going to be a short update on the matter.

In wake of the hack attempt we have been continuously testing our systems for any further possible security lapses. It been more than 36 hours now since the incident and we want to reassure our valued users that all systems including the Client area, Billing Systems, Support center as well as all the systems of the VPN service including the VPN servers are functioning 100% well. Although never affected, load on the VPN service is usual and we are thankful to our valued users for their understanding and cooperation.

The user database breach that occurred yesterday, due to a security exploit found in the 3rd party application WHMcs, has been identified as an isolated breach that compromised Email IDs and names of a subset of our registered users. We repeat no billing information such as Credit Card or other sensitive personal information was compromised.

Our conclusive investigation report is near completion and We are just waiting on the involved 3rd party services to confirm a few aspects related with their system. We deeply regret this compromise and apologize with our valued users. We further believe we'll learn from our mistakes and grow even stronger. Once the investigation report is out, we'll be announcing compensation for the affected users.

Please follow us on Twitter @purevpn to remain updated with latest developments.

 

#Update 2

Dated: October 6th 2013

 

We are writing this post to share a quick update:

Our VPN service is functioning 100% fine and there is no interruption whatsoever. While we are investigating the cause of the email, we reemphasize that, as we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users billing information. Similarly, service troubleshoot logs (connection attempts, users IPs, etc) are safe and intact as we do not store such logs on site. Furthermore, as we vouch for privacy, security and anonymity on the internet, hence we do not store actual VPN service usage logs.

Preliminary reports suggest that we are hit with a zero day exploit, found in WHMcs; 3rd party CRM that we use on our website: http://blog.whmcs.com/?t=79427

We are able to confirm that the breach is limited to a subset of registered users Email IDs and names.

At PureVPN, in recent months, we have experienced phenomenal growth and we are pretty excited with what we have been working on in the back office. Clearly, we are getting more and more popular crossing new heights too fast for some to worry and such attacks are not unexpected with popular services these days. Such incidents add to our resolve to continuously improve our service for our users.

Please follow us on @purevpn to keep up to date with latest developments.

 

#Update 1

Dated: October 6th 2013

 

Dear All,

Hope you are doing well and enjoying PureVPN's services.

This morning some of our users have received a fake email and we are putting this blog post as a clarification. We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor do we store our user's personal data to share with anyone.

In terms of service, features, level of support and speed of VPN network we are indeed stronger than ever and our recent growth rate has been phenomenal. Lots of additional features have been planned and we are pretty excited with what we have been working on in the back office.

Status of the VPN service:

Our VPN service is working 100% OK. You may continue using our VPN service which is secure to the highest possible levels of encryption.

Status of Billing Portal / Client area:

While we are investigating the issue, we've temporarily disabled everyone from logging into the billing portal / client area.

We'll shortly be communicating further updates. To remain informed, please follow us on twitter.

Sincerely,

 

Uzair Gadit, Co-founder.

On behalf of The PureVPN Team.

 



About PureVPN


Stay Connected: Follow me on Google+



Halloween VPN Promotion
Best horror movies on netflix for halloween

Subscribe!

Subscribe Now to keep yourself up-to-date with PureVPN recent posts and latest news from the VPN industry.


Thank You For Subscribing.

Invalid Email Address.

Follow Us On!

Follow our social pages to stay connected wtih all the updates and offers.

Facebook Fan Page


37 Responses to Fake Email to Clients – Updates

  1. EJ says:

    This is a fake email, good news. But I wonder how they got my email adress and how they know I use pure vpn… Is there a leak in your office ?

    • admin says:

      EJ, thank you for understanding our situation here. We are confident that its not a leak in our office but we have serious doubts over the 3rd part CRM that we use, i-e WHMcs. Please stay tune for a comprehensive report on this incident.

  2. Tchaf says:

    What does that mean from a privacy perspective? I’m not sure that it’s better that someone unauthorized was able to apparently get e-mail addresses of a significant amount of users, than the government requesting this data from you. What data have or might have been stolen? Does someone have my email address now? My credit card info? My connection IPs? What exactly had happened? How do you make sure that won’t happen again? How are users going to put trust in your security and privacy mechanisms in the future if you don’t answer these questions quickly?
    Looking forward to your answers.
    Ps: this obviously isn’t my right name or email address

    • admin says:

      Tchaf, none of the above two choices are better of course. Let us categorically deny any involvement of NSA or any government in this. We totally understand your concerns and are making the best of our efforts to dig deep into the matter. As you can see in our update 2, credit card/billing info, connection IPs of users were not compromised at all. A subset of registered users Email IDs and names were breached and we have already started updating our system accordingly. Incidents like these add to our resolve to continuously improve our service for our users and offer only nothing but the best service.
      We believe that first step towards the solution is to accept that there’s a problem. We have accepted the problem and are keeping our valued users up to date by posting relevant updates on our blog, sharing specific details on our twitter handle @purevpn and by sending out emails. Our whole team is on board, working in collaboration with each other to make sure we resolve this matter at our earliest.

  3. Dafunks says:

    I’m a bit upset about this, but I understand that you cannot really do anything about zero day exploits. It’s just part of the Internet age.

    Was it just the emails and names taken? We’re any other parts of information in the same database? Please let us know asap.

    Thanks for the emails and quick honesty on your part.

    • admin says:

      Thank you Dafunks for understanding our position. Yes, we are 100% sure that the breach was limited to Email IDs and Names of a subset of our clients. All other information is safe.

  4. Worried says:

    As an affected customer, I find this entire situation immensely troubling. Your services builds themselves up as a means to stay anonymous, but your latest update is trying to calm your customers by saying 'Don't worry guys, it was only the Names and Emails of our customers the attacker(s) was able to obtain!" as though that should put us at ease?
    You then go on to suggest that the attack was made possible due to what you call a "zero day" exploit in some of the 3rd party software you use. My confusion with that is the page you linked to is the announcement of the patch required to fix this issue, an article that was posted 3 days ago. With that in mind I'm not sure how you consider it a "zero day" exploit as that really goes against the concept of the term itself.
    Now don't get me wrong, I have had a wonderful experience with PureVPN up until this point, but the fact of the matter is this event is extremely concerning when keeping customers anonymous your key selling points. I'm very curious as to what PureVPN is going to do to make this up to the effected customers.

    • admin says:

      We totally understand your concerns, Worried and your points are valid. But I hope you agree that it was also very important for us to accept that the problem has occurred and remain transparent about it. However, we never said “Dont worry guys its just emails and names”, rather we accepted the breach and shared its details as soon as the events unfolded. As for making up to the affected customers is concerned, we are considering a few options but can’t commit anything at the moment. We’ll keep you guys posted on that too.

  5. PM says:

    How about leak of any password information? Can we assume passwords have not been leaked?

    • admin says:

      Yes let me assure you that your passwords are safe and only a subset of our users email IDs and names were compromised. We apologize for the inconvenience.

  6. CR says:

    Please provide a visible unsubscribe link in your emails as there has been none in the last two emails received today as I wish to remove my subscriber details from your mailing lists immediately and there should also be an option on your website today in light of the security breaches.

    • admin says:

      We understand your concerns and apologize for the inconvenience CR. But I hope you agree that it was necessary for us to share the update with all you guys right away. However, all our usual emails always have the unsubscribe option and we have also noted down your suggestion in this regard. We will be careful next time.

  7. Yannick C. says:

    Hello, I would like to start by saying that I'm not too worried about the hijack because it happens to almost every online cie from Microsoft to Ubuntu very recently. Although a crisis for the buisness image, I think you have done a good job taking control of the situation and providing up to date information in a transparent manner.
    I do however have one question about the nature of the attack. I was wondering if the attacker only sent out an "admin message", or if they obtained access (downloaded) the user info from the db.
    I'm asking because I know that lots of people use the same passwords for everything online. If the attacker has everyone's email address and the user passwords from your CRM site, well there might be a problem for users with lower online security standards. If this is the case it might be a good idea to recommend that people change their email passwords as a precaution. Take it or leave it, it's my 2 cents.
     
    Once again keep up the good work…
     
    YC

    • admin says:

      Thank so much for your encouragement Yannick, we really appreciate it. With respect to passwords, it is up to our users if they want to change it or not. What we can assure you about is that none of the passwords have been leaked so its fine even if they don’t change it.

  8. ADEL ALHUJARI says:

    So our secret information it's safe? no one stolen Card info or other details? 

  9. Veroni Zwart says:

    My E-mail ID and address are now known to the breachers.
    What should I do now change the E-mal address and every password connected?

    • admin says:

      A subset of our users email IDs were compromised Veroni but your passwords are safe. You can definitely change the password if you want to but rest assured they were not compromised.

  10. Darkenezz says:

    So do i need to concern about the email i get or not?
    Its kinda serious about have to close my account permanently. We are no longer able to run an anonymization service due to legal issues we are facing.

    • admin says:

      That was a fake email and as share in the post above, we are not closing down nor are we handing over any detail to the government authorities. We are not facing any legal issue either. Our VPN service is 100% functional and running.

  11. Dave Kimble says:

    "… <span style="font-size:10.0pt;font-family:"Arial","sans-serif";
    mso-fareast-font-family:"Times New Roman";color:#222222″>such attacks are not unexpected with popular services these days." is NOT an acceptable response to a successful hack of clients' names and email addresses. The credibility of WHMCS is ZERO after an SQL injection attack, which can only be due to not validating input fields properly.

    <span style="font-size:10.0pt;font-family:"Arial","sans-serif";
    mso-fareast-font-family:"Times New Roman";color:#222222″>I await further developments, but I am going to be wanting my money back.

    • admin says:

      We respect your opinion Dave and have taken necessary steps to make sure such incidents do not happen again.

  12. Lorrie says:

    I received the suspicious email late last night and a short while later received an email from PureVPN. I was happy to see they were on top of it so quickly and even happier too receive their continual updates. This is the sign of a trustworthy company. Thank you PureVPN.

    • admin says:

      Thank you so much Lorrie for keeping your faith in us. It is because of you guys that our resolve to serve you even better has got stronger. :)

  13. Tchaf says:

    Guys, just to get back to you after the rant above: I'm really impressed by your open, quick communication on this issue. You definitely won me as a regular customer.

  14. Stu says:

    I appreciate the way you are handling it.  My question to you is what did the spammers think they would get from the fake email.  It doesn't look like it contained in any payloads and they forged your return email address.  They weren't fishing for personal information.  Do you think it was just a competitor trying to make you look bad and hurt your reputation with PayPal?  What was their end game?
    I'd note that their English wasn't perfect, but since you are Hong Kong based that was less of a tell than it might normally be.

    • admin says:

      It would be too early for us to blame anyone Stu. But you are making a strong case here and we are investigating the matter keeping in mind this perspective as well.

  15. jan says:

    Guys, if emails were compromised, this is a huge breach in your security and basically means all your users have been identified and are now no longer anonymous, unless fake email accounts have been used. Not cool. Is it likely to have been exported by the 'hackers' so they have it as a list?
    Regardless, since emails have been compromised, what steps are you taking so further emails from PureVPN can be authenticated as actually being from PureVPN?

    • admin says:

      This is an important point Jan. Once we complete our investigation and conclude our findings we’ll then move to take further actions for email authentication.

  16. Rick says:

    Can't imagine how much of a PR shitstorm this must be for you guys, but its being handled very well. Thank you for keeping everyone updated!
     

    • admin says:

      Thank you so much for your support Rick. We really appreciate the positive feedback we’re getting from all you guys.

  17. SimonP says:

    Just to echo what Rick says, well done guys for jumping on this so quickly.  Like others I was very concerned about the fake email when it first arrived but was suspicious from the outset and your swift response certainly put my mind at rest.  Best wishes and good luck in resolving the issues.

  18. EJ says:

    You seemed ton be really concerned about this problem. I have to admit this problem was solved with grat profesionalism. We all hope this won't happen again.

  19. Concerned says:

    I am concerned about the advice given by purevpn.com that because the passwords were salted and hashed with MD5 that they are secure, and this is not something users should worry about.
    It is well known that modern GPU brute forcing efforts can rapidly attack MD5 passwords especially if the salt is chosen poorly, or if the password is a dictionary word (amongst other commonly used patterns). This is similar to the issue that linkedin had when there password db was stolen.
    Please see this arstechnica article:
    http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
    I have a few questions that I would like answered:
    1) Does the software re-use the same salt? ie. does it generate a salt randomly for every user in the system?
    2) Will purevpn reimplement the hashing code to use a high-cost hashing function, see eg. bcrypt? If not, why not?
    3) In my view purevpn should make password changes mandatory. Will these policy be implemented, and if not, why not?

    • PureVPN says:

      Concerned,

      How WHMcs encrypts passwords and generates salt is detailed here:
      docs.whmcs.com/API:Get_Clients_Password

      It’s not pure MD5.

      And yes a new random salt is generated for each stored password and reportedly there are approx 13 million possible combinations to break a WHMcs password which makes it quite safe to assume they are secure.

      Hope that helps!

  20. Pingback: Registrar in Metasploit DNS Hijacking Not Duped by Fax « Cyber Security Aid