Fake Email to Clients – Updates
Dated: October 13th 2013
We are now announcing the conclusive investigation report of the unfortunate incident that took place on October 6th, 2013. Please read the full text of this report below:
Dear PureVPN Clients,
We would like to start by accepting complete responsibility for the unfortunate incident that happened on October 6th, 2013. As one of the biggest VPN provider, PureVPN combats all sorts of malicious attacks and cyber crimes in its' various forms. Our hard working staff is at work 24 hours a day, 365 days a year with a mission to defeat what's bad for millions of innocent internet users world over. Unfortunately, there are times when the bad, thanks to the zero day exploits, gains some upper hand to be able to momentarily disrupt those hard efforts. Hard reality is that, this war between the good and the bad is never ending. Our friends at Google, Apple, Microsoft, Adobe, Facebook, Twitter and others despite having best resources at their disposal all face such short lived defeats but only to grow stronger. Now it's our time to grow stronger.
Our engineers and the security team have worked round the clock, extensively auditing all systems, during the past 8 days to bring this conclusive report out today to our valued users. Although the fix for what was obvious was applied within a few hours, we kept on investigating for the root cause which we hereby present to our valued users.
On 4th Oct 2013 the hacker, using a Romanian IP address was able to exploit a bug in WHMcs, the 3rd party billing and ticketing solution that we use on our website, and ran several SQL injection queries to compromise a few tables including "tblclients", "tbladmins" and "tblconfiguration". The hacker obtained users info (mainly name and email) including hashed passwords (i-e not in a readable form but in an irreversible encrypted form) but obviously couldn't compromise the sensitive billing information (Credit Card or PayPal information) as it's NOT stored on the on-site database. User passwords are also stored using MD5 + (salt) encryption which is essentially irreversible. Although not an imminent threat we encourage our users to reset their passwords as a precautionary measure.
The hacker, knowing that (s)he got a short time window, was not able to compromise the complete users database rather when (s)he reached approx 70,000 clients (s)he moved on to the mass mail stage. Using the same exploit the hacker was able to compromise our SendGrid account access information, the 3rd party SMTP we use for transactional emails, which is stored in WHMcs in the same database (tblconfiguration). After illegally obtaining Email IDs and our SMTP account credentials, the hacker accessed our SendGrid account, imported the Email IDs, created a newsletter and sent the fraudulent mass mail on 6th Oct 2013 at 10:26 HKT (GMT+8).
Further and thorough audit on our VPN systems has confirmed that there was absolutely no breach on the VPN network and throughout the incident our VPN service continued to operate securely. No technical usage data was compromised and since we do not store users activity logs, our users are hereby assured of full anonymity and security throughout.
We have learned several of our mistakes and have started taking measures immediately to prevent this from happening again in the future. As a token of our continued commitment to our clients, we are offering compensation. Details of the compensation are as follows:
- Affected clients who have subscribed for Annual subscription will get 5 weeks of free service.
- Affected clients who have subscribed for Semi-Annual subscription will get 3 weeks of free service.
- Affected clients who have subscribed for Monthly subscription will get 2 weeks of free service.
Again, we accept complete responsibility for what has happened but we are determined to continue our fight against the bad. The war will go on.
Uzair Gadit, Co-Founder,
On behalf of The PureVPN Team.
Dated: October 7th 2013
This is going to be a short update on the matter.
In wake of the hack attempt we have been continuously testing our systems for any further possible security lapses. It been more than 36 hours now since the incident and we want to reassure our valued users that all systems including the Client area, Billing Systems, Support center as well as all the systems of the VPN service including the VPN servers are functioning 100% well. Although never affected, load on the VPN service is usual and we are thankful to our valued users for their understanding and cooperation.
The user database breach that occurred yesterday, due to a security exploit found in the 3rd party application WHMcs, has been identified as an isolated breach that compromised Email IDs and names of a subset of our registered users. We repeat no billing information such as Credit Card or other sensitive personal information was compromised.
Our conclusive investigation report is near completion and We are just waiting on the involved 3rd party services to confirm a few aspects related with their system. We deeply regret this compromise and apologize with our valued users. We further believe we'll learn from our mistakes and grow even stronger. Once the investigation report is out, we'll be announcing compensation for the affected users.
Please follow us on Twitter @purevpn to remain updated with latest developments.
Dated: October 6th 2013
We are writing this post to share a quick update:
Our VPN service is functioning 100% fine and there is no interruption whatsoever. While we are investigating the cause of the email, we reemphasize that, as we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users billing information. Similarly, service troubleshoot logs (connection attempts, users IPs, etc) are safe and intact as we do not store such logs on site. Furthermore, as we vouch for privacy, security and anonymity on the internet, hence we do not store actual VPN service usage logs.
Preliminary reports suggest that we are hit with a zero day exploit, found in WHMcs; 3rd party CRM that we use on our website: http://blog.whmcs.com/?t=79427
We are able to confirm that the breach is limited to a subset of registered users Email IDs and names.
At PureVPN, in recent months, we have experienced phenomenal growth and we are pretty excited with what we have been working on in the back office. Clearly, we are getting more and more popular crossing new heights too fast for some to worry and such attacks are not unexpected with popular services these days. Such incidents add to our resolve to continuously improve our service for our users.
Please follow us on @purevpn to keep up to date with latest developments.
Dated: October 6th 2013
Hope you are doing well and enjoying PureVPN's services.
This morning some of our users have received a fake email and we are putting this blog post as a clarification. We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor do we store our user's personal data to share with anyone.
In terms of service, features, level of support and speed of VPN network we are indeed stronger than ever and our recent growth rate has been phenomenal. Lots of additional features have been planned and we are pretty excited with what we have been working on in the back office.
Status of the VPN service:
Our VPN service is working 100% OK. You may continue using our VPN service which is secure to the highest possible levels of encryption.
Status of Billing Portal / Client area:
While we are investigating the issue, we've temporarily disabled everyone from logging into the billing portal / client area.
We'll shortly be communicating further updates. To remain informed, please follow us on twitter.
Uzair Gadit, Co-founder.
On behalf of The PureVPN Team.
Have something to add to this story? Share it in the comments.