AzDPAN9N

1
2Date: 12th March 2020
3
4We are contacting you today to make you aware of a data security incident that we experienced at Open Exchange Rates last week. Following a security breach at one of our third-party IT providers, it appears that a secure access key for our Amazon Web Services infrastructure was compromised. Using these compromised credentials, an unauthorised third party was able to gain access to our network, including a database containing user data.
5
6What Happened
7
8On Monday 2 March 2020, we received reports that requests to our API were taking longer than usual to receive a response, resulting in timeouts for a number of users.
9
10Upon investigation, we determined that this was the result of a network misconfiguration. Although many API responses during this time were still being successfully served, some users further reported that exchange rates in their API responses appeared to have ceased updating throughout the morning. While correcting the underlying network issue, we identified that changes had been made to our AWS environment by an unauthorised user account.
11
12We immediately shut off access to this user and worked to restore full operation to our platform, and the issues were corrected by 15:00 GMT. After the incident had been contained, we immediately began working to establish the cause and extent of the unauthorised access, alongside specialised IT security consultants.
13
14Upon further examination, we determined that the unauthorised user appeared to have initially gained access on 9 February 2020, and could have gained access to a database in which we store user data. Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network.
15
16What Information Was Involved
17
18There is no evidence to suggest that information relating to you was specifically targeted during the incident. However, our investigations have found that some of your information is contained in this database and therefore would have been accessible to the unauthorised third party. The information relating to you that may have been taken includes:
19
20    The name and email address you registered with;
21    An encrypted/hashed password used by you to access your account connected with the platform;
22    IP addresses from which you have registered and/or logged into your account with us;
23    App IDs (32-character strings used to make requests to our service) associated with your account;
24    Personal and/or business name and address (if you have provided these);
25    Country of residence (if provided);
26    Website address (if provided).
27
28
29What You Can Do
30
31Given the nature of this information, it is important that we make you aware of the incident and any associated risks. There is a risk that the data that may have been extracted from our network could be used to facilitate fraud, identity theft or social engineering attempts. As a result, we recommend that you exercise increased vigilance in all matters relating to your personal and/or business details.
32
33No passwords are stored in plain text on our site, and we have not identified any unauthorised access to your Open Exchange Rates account as a result of this incident. Nonetheless, we have taken the precautionary step of resetting the password for your account. In order to log into your account dashboard, please submit the form at the address below and follow the instructions in the email you receive.
34
35https://openexchangerates.org/new-password?email=<redacted>
36
37As the App IDs (API keys) connected to your account are also potentially affected, you may also wish to generate new ones to access the service via your account dashboard. We do not have any evidence of these being used to gain access to the API, however they could be used to query exchange rate information from our service using your account.
38
39In addition, it is good practice to:
40
41    Be suspicious if anyone contacts you by email, phone call or text message asking you to confirm your personal details;
42    Enable two-factor authentication on all of your online services that offer this;
43    Use different passwords for different online accounts.
44
45
46What We Are Doing
47
48We have already taken several initial steps in response to the incident, including:
49
50    Securing our infrastructure against any further unauthorised access;
51    Appointing a specialist IT security and forensic provider to investigate the incident;
52    Notifying the Information Commissioner’s Office, the Police and applicable banks/card issuers;
53    Engaging a 24/7 specialist team to provide network security and integrity monitoring going forward; and
54    Creating a timeline for reducing the amount of data we process to the minimum required to provide our service.
55
56
57Our investigations are ongoing, but we are confident that no further breach of this kind is now possible.
58
59We are sincerely sorry for any concern and inconvenience this may have caused you. We would like to reassure you that we take our responsibilities for the protection of your data very seriously. Our AWS architecture has been designed according to the best practices for secure, high-availability services. This was a sophisticated attack, made possible by a data security breach at a third-party supplier, and we deeply regret that a compromised access key was able to facilitate unauthorised access in this way, resulting in the first security incident in our 8-year history.
60
61For More Information
62
63If you have any questions, then please don’t hesitate to reply to this email or contact us at support@openexchangerates.org. We will be happy to help you in any way we can.
64
65Kind regards,
66
67Open Exchange Rates
68--
69support@openexchangerates.org
70https://openexchangerates.org
71
72--
73
74UNSUBSCRIBE: This is a one-time notice relating to your Open Exchange Rates account, and not a marketing newsletter, so there's no "Unsubscribe" button. However, if you no longer need your account with us, please email privacy@openexchangerates.org with "Delete Account" in the subject line. We will remove your data from our systems and will not contact you again, unless you ask us to in future. Please note that we may respond asking you to confirm your request, if the account appears to show currently active use (this is to prevent accidental interruption to any connected API integrations).