“If someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.”
Chicago-based web application developers Basecamp successfully mitigated a mass-login attempted on their network by attackers using stolen email and password information.
Threat actors instigated a credit stuffing attack against Basecamp’s website, which over the course of an hour experienced more than 30,000 login attempts. The IP addresses associated with the malicious access attempts came from a wide array of global locations.
In response to the attack Basecamp began blocking the offending IP addresses. However, the flood of login attempts was too much, so they were forced to initiated a captcha test on the login process which held back the tide.
In the aftermath of the attack Campbases ran a diagnostic and found that only 124 accounts had been accessed by unauthorised users.
Writing in a blog about the cyber incident Basecamp CTO David Heinemeier Hansso detailed their response stating that once the attack was over: “We immediately reset the password for these accounts, logging out any intruders, and emailed the affected account holders with all the relevant information.”
Basecamp Says They Can Only Do So Much
The attackers had gained access via valid login credentials most likely obtained in a breach and then sold online much like the Collection #1 cache of credentials recently discovered.
The preliminary investigation into the hack found that none of the accounts which had been accessed had any actions preformed within them. This is consistent with the nature of a credit stuffing attack were an automated login process tries thousands of email and password combinations in order to see which ones are still valid.
David Heinemeier Hansso commented that their: “Ops team will continue to monitor and fight any future attacks.”
He praises the in-house cybersecurity team for their quick and effective cyber response, but he warns users that: “If someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.”