On December 13th 2020 we were notified of a potential security flaw that may have exposed some of your files and data to hackers. That evening we immediately purged older and unused files, while submitting a ticket to Azure for further clarification. On the 15th we updated the settings within Azure to ensure data would not be visible per the method found.
Since then we were focused on ensuring your current and new files were properly secured, when on December 22nd we upgraded our storage system with new private and secure storage that is non-indexed and only accessible through authenticated users in the platform. Going forward, all files associated with a CRM record will go into our secured storage and all files that are marked with permissions when uploading will also go into secured storage.
To show that we take these alerts seriously, we resolved the issue prior to bein notified by Microsoft Azure on December 23rd at 2:25 pm of this potential file access. By this time we had already patched and then fully resolved the issue. You can review Microsoft's letter below.
What it's not!
There is no detail on exactly which files, if any may have been breached, but we can ensure you that no files contained any passwords, credit card information or other pertinent items such as access keys. It is not our database, backups nor source files for our platform. In many cases, you may have had no private files stored in these directories. It was not access to all our files/directories, only a few that are leveraged for the media you upload, responses to forms and downloaded reports.
How we're keeping you safe(r):
We have employed several solutions and techniques that will prevent this from occuring again in the future. This includes:
- Storing all private and customer sensitive files in our secure storage
- Ensure secure storage is only accesible via authenticaed means
- No one can browse or list all items in a folder or directories
- Setup a log that keeps track of each person who exports data
- Automatically purge exported data daily
When someone tries to access a resource that they don't have access to, they will get an error message as such:
<Error>
<Code>PublicAccessNotPermitted</Code>
<Message>Public access is not permitted on this storage account. RequestId:005cc70b-d01e-006f-549a-df7217000000 Time:2020-12-31T17:31:59.4175116Z</Message>
</Error>
Letter From Microsoft Azure
|
Your data might be at risk. Review public access permissions of your Azure Storage accounts nowYou're receiving this notice because you use Azure Storage. Recently, some of the data stored in publicly accessible cloud storage, including Azure Storage accounts, was indexed and published online to potentially malicious websites. Malicious actors can search these indexes to locate and access sensitive data inappropriately stored in the indexed storage containers. While it is legitimate for some Azure Storage account containers to be publicly accessible (to host websites for example), it is also not uncommon that some containers with sensitive data can be publicly accessible due to a misconfiguration, putting sensitive data at risk and exposing it to breaches. Why am I receiving this email?As part of our efforts to help Azure customers better protect their data and resources, we have reviewed the above indexes and are now notifying relevant customers to help them take any required measures (see recommended actions below). For details on the indexed Azure Storage account containers we found in your storage account, see the Account Information section of this notice. Recommended actions- To monitor unusual and potentially harmful activities to access or exploit data in your storage accounts, you can enable Azure Defender for Storage (free for 30-days).
If you have any questions, please contact us. Please note that this email communication is sent per storage account, so you may receive additional similar emails if some of your other storage accounts were also indexed recently. |