Hey there, I'd love to hear a bit more about your negative experience a couple years ago and how we could make things better. Didn't see an email in your profile -- could you email me at david@weebly.com? Would really appreciate your feedback!
I think it's a bit more nuanced. If you have a high title, you get people's attention immediately, but it takes time to earn their respect, and the two are quite different.
In terms of appsec, we run quarterly black box pen tests and annual comprehensive white box pen tests with well regarded firms, and have been rotating vendors on a regular basis for diversity. We also do a lot of stuff internally, like regular scanning, and internal sprints focused on vuln detection. We've been doing this for years. That's not to say we're perfect (we clearly are not) but we do take it seriously.
Obviously, this is a very disappointing situation for us -- we've always taken security very seriously since day 1, it's something that's been core to who we are from the beginning.
That said, how you respond in this situation can be just as important, and so we are making sure to be incredibly proactive in addressing the situation & transparent in how we communicate the details with our customers. Our top and immediate concern has been our users and the safety of their accounts.
A few days ago we became aware that an unauthorized party obtained email addresses/usernames, last login IP addresses and bcrypt hashed passwords for a large number of customers (anyone who signed up prior to March 1 of this year).
At this point we do not have evidence of any customer website/account being improperly accessed. It's also worth noting that we do not store any full credit card numbers on Weebly servers, so any credit card information was not part of this incident.
We immediately starting working on taking steps to notify our customers, and were able to get this out in a matter of a few days. We're initiating password resets as of this morning, and we've also made several improvements to the application including new password complexity requirements and a new dashboard that gives customers an overview of recent log-in history of their Weebly account to track account activity. We also increased our bcrypt work factor from 8 to 10, and all passwords will be automatically upgraded as of the next time a user logs in.
We've hired an incident response firm who is working with our internal team to complete a full investigation. In the meantime, we're examining our stack top to bottom and taking many steps to enhance our network and application security. This is an area we take very seriously and we'll be putting in tremendous effort to ensure this doesn't happen again.
This title is incorrect. Credentials not stolen, usernames and hashed passwords stolen. That is not the same as having everyone's password. The title implies someone can easily log in to your account.
This is also not true, as if they used bcrypt (a key derivation function) the hash is salted, so even users using common passwords are protected against rainbow (lookup table) attacks.
as for brute force, yes attackers now know usernames, so can try brute forcing the live sites, or brute forcing each user hash.
I believe he meant the will try the top 100 most common passwords on each account on the website directly, resulting on "82% of users at risk", assuming 82% of users use one of these 100 passwords.
Strong brute-force protection (eg block account for exponential times) could mitigate this attack vector.
Why are you guys talking about live site and rainbow table???
The attackers have the salts and the hashes, they can brute force the hashes offline with [ocl]hashcat as they wish.
Top 100 passwords * 43M accounts is only ~4B hashes to compute. We don't know what bcrypt parameters they used but we're probably talking a few hours here, maybe only a few minutes.
to brute force the top 100 passwords, only the usernames were really required. can easily bruteforce the top 100 passwords on a live site.
you are right that it's now very easy to use dictionary attacks now, on all the credentials offline. and those with super weak passwords will have their accounts compromised.
Just tried updating my password for my weebly account. It appears this functionality is broken. It keeps telling me that "Your current password must be correct". I logged in and out with the same password a couple times to confirm I'm not crazy.
Can you email me at david@weebly.com? We looked into this shortly after you posted this comment and can't replicate (also not receiving other complaints)... If you can email me we'll get to the bottom of it -- thanks for letting us know!
Why does it take a few days to send an email saying "we got hacked, please change your passwords promptly".
I accept there are costs to jumping the gun and passing out incomplete information, but if I screw up I tell the affected parties that day. Not after a few days of planning how to manage the message.
For one, it's pretty challenging to send out 43M similarly-looking emails within 24h without tripping a whole bunch of anti-spam filters - even when you're using tailored services (that distribute over IPs with good rep, etc) like Amazon SES.
This is silly – the entire process of "Oh, we got hacked. What did they access? Who's been compromised? Better write an email. Better find a channel to send that email, and wait for it to be sent" could very, very obviously take a couple of days. You are unfairly trivialising that.
My point was transactional emails does not hit any spam filters. And since email services tracks how many of emails were opened, i am pretty sure 'we have been hacked' will be opened quite often and will never be in spam folder.
From the point of view of a spam filter, there isn't really any difference between a "transactional" (what a horrible name, but not your fault that the industry has adopted it) email and any other email.
"Transactional" emails simply have some distinctive elements, such as the first and last name of the customer, which make them less likely to be filtered out.
First & last name in email alone doesn't guarantee to hit inbox. Huge free email services use social 'signals' as open rates, 'this is spam', 'this is not spam' as well as IP reputation i mentioned earlier to determinate if email hit inbox.
So, there is obviously a difference in those metrics between simple notification 'your account have been hacked. change password' and 'hey, we haven't seen you for ages'. As email system notice high user involvement it will never ever block such emails. Actually, i think it will increase IP reputation.
"transactional emails" is a term marketers use, but in reality the email systems do not know the difference. And yes we did get stopped by various ISPs, and yes we did have to get some on the phone.
As I understand, transactional email is often triggered by a user itself (new account creation, forgot password, etc). By definition, those are sent spread out over time.
This is - at least from a spam filter's perspective - a huge email broadcast, more akin to a news letter mailing or a spam run.
And semantics aside, a lot of those 43M users will consider the email to be unsolicited (didn't remember they signed up, don't care about computer security, etc). They will happily report such an email as spam, adding to the training set.
In a perfect world companies would recognize and react to security breaches almost as soon as they happen. But if you have ever managed the logging pipeline or incident response practice for a company, you understand that this is deeply unrealistic.
There is virtually no company which discovers that it has been breached within a short period of time - the nature of a security breach is such that it doesn't generally become apparent until some time later. This pattern continually plays itself out with just about every large breach you can think of.
In that respect, considering Weebly actually hashed their passwords with bcrypt and is reacting to the breach in the same year, they're fairly far ahead of the curve on this one.
"we've always taken security very seriously since day 1"
No you have not because then this would not have happened. The only one who should be able to query passwords from the database should be the DBA. Everyone else should only be able to validate against it. So either it's an inside job by your DBA, or you thought your users security was less important then avoiding the friction such high security standards would have introduced in your workflow.
Security is hard. It is very possible to take it seriously, do many things right (perhaps everything right, insofar as it's in your power), and still have your company end up in a headline like this.
You can parameterize your queries until you're blue in the face, but that won't help you if the right employee is phished (for example). This is an inherently imperfect and chaotic world, and it's unrealistic to assume that you're insulated from these scenarios just because you locked down database access correctly.
Personally, I believe David when he says Weebly takes security very seriously.
I'm kind of tired of the "Security is hard, every one gets hacked eventually and we are just victims" mentality. This is not true. Why don't we see peoples banking information plastered over the web every month? That if something would be a high value target. No, it's always these Web 2.0 services this happens to. Now, you could argue that a small SAAS service can not possibly afford security as rigorous as a bank, but guess what, if you are going to handle peoples information, and don't have the assets to protect it, then maybe your business is not viable enough?
I invite you to research this topic more thoroughly.
First, while there is a recent uptick in breaches, newsworthy ones do not happen every month. There does appear to be something of a clustering effect, which I think is attributable to a number of different causes. [1]
Second, banks, even very large ones like Citigroup and Chase, have been compromised in recent memory. [2] Even the IRS suffered one of the largest breaches ever, just last year. Peripherally "financial" institutions that aren't banks have also suffered breaches, such as every single credit card processor and NASDAQ.
You have a right to be upset about the increasing probability of your passwords being compromised by third parties. As a consumer, you can mitigate the damage of such breaches by 1. using a password manager, 2. using a different password for each and every account you have and 3. generating extremely secure passwords for each account. You can also use services like HaveIBeenPwned [3] to stay ahead of the damage.
However, your indictment here is unreasonable. Like basically everyone else in this thread, you don't have much information to go on yet. Weebly properly hashed and stored their passwords. As far as breaches go, this one is pretty tame. They are reacting responsibly and quickly considering the breach happened this year - normally we'd find out about this in three years. We do not yet know the root cause of the attack, and the criticism you're levying against Weebly is equally applicable to the industries you believe are more safe (they aren't). While many "web 2.0" companies may be rather lax in security, Weebly did not do anything obviously wrong or negligent here.
________________________
1. As data breaches become more of a hot topic, they will be more likely to be reported widely because it guarantees eyeballs. Similarly, it increases scrutiny, which aids in discoverability, and leads to more copycat hackers attempting these breaches for fame or fortune.
They kept the usernames in the clear. It is possible to create a service that never stores usernames but only hashes of them too. Keep an email linked to that account for a reset of the username / password combo.
Then breaches only reveal emails and a pair of hashes, so to control the account you need to control the email.
It is possible to do any number of weird things that practically nobody in the whole world, including companies with the best security teams in the world, actually do. Tokenizing email address is indeed one of those weird things.
So true. They also have government agencies on their side. If you hack a bank, you're messing with money which suddenly involves a whole raft of governmental agencies.
That's ridiculous; older businesses and government services are compromised all the time!
And let's not forget that there is a spectrum of value associated with information. On the one hand, I'd rather my bank details and payments weren't publicly released. On the other… IP address, bcrypted password and email address? Minimal relative value.
The reason this attack became known as the swift hack is because the hackers were able to send messages over the swift network to transfer money around, however this how the system is supposed to operate, it's what the swift network does.
What was hacked was the bank where the messages were sent from.
If you read the article (any of the articles) the headlines always talk about the 'swift hack' however it was the _banks_ that were hacked (and the article says so), not swift.
Seriously dude? People fuck up all the time, it doesn't mean the company doesn't take security seriously. Furthermore taking something seriously and being successful at your serious undertaking are different things.
We learned a lot, and things have been completely different this time around. We were much more careful about managing timelines & deliverables much further upstream, delivering features in more of a phased approach to prevent on big last minute merge with unanticipated interaction effects, ensuring adequate time for internal testing as well as external beta testing to uncover bugs of all kinds (regressions, usability, etc), and then cutting scope aggressively if necessary as the deadlines approach to make sure that we maintain a very high quality bar -- those are just a few of the things we've been able to improve on.
Very proud of Weebly 4 and the team that made it all happen, it's both our biggest release ever, as well as our most polished!
We're still hanging in there. Our Open Source user base keeps growing, but revenue from our commercial products has been flat for too long; we're working on some hosted products, to hopefully address that. It's likely a pivot is in our future. And, on the personal front, I'm still traveling mostly full-time in an RV (as I've been doing off and on since I left the valley ~7 years ago).
1. Wordpress is probably better if you really want a platform to build something very custom off of, so in that sense it would be an alternative to a Django/Rails/Node solution. The downside is that it's a lot of work to both build and maintain, worrying about scaling, ongoing security patches and maintenance, etc.
2. One, Weebly is a much more intuitive, easy to use platform, two, we have a powerful ecommerce platform built-in (Wix doesn't have this), three, we have iOS and Android apps to create or manage everything from (no one else has that), four, we have a deep developer ecosystem (over 200 third party apps and integrations, the most of any platform), and five, the website, ecommerce, and email marketing is deeply integrated, others are more a collection of pieces.
Very true. Great photography is key for a great looking site. We do have some good stock photography available, but it will never look as good as the real deal.
I love your suggestion for more typography focused themes!
