DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

BrowserStack not shutting down, but email addresses were hacked (update1)

Posted on November 10, 2014 by Dissent

BrowserStack has been hacked.

The following was posted to Pastebin anonymously yesterday:

Dear BrowserStack User,

We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer.  In our terms of service, we state the following:

[…] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.

[…] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.

[…] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.

Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password “nakula” on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (“c0stac0ff33”).

Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.

We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.

Sincerely,
The BrowserStack Team

So I checked BrowserStack’s website, only to see this:

We’ll be back soon!

Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!— The Team

In light of details in the paste, it seemed quite likely that they were hacked and were busy addressing security issues, so DataBreaches.net sent them an inquiry asking them to confirm or disconfirm the suspected breach.

BrowserStack responded with the following statement this morning:

BrowserStack is not shutting down. An attacker gained access to a list of user email addresses on BrowserStack on 9 November, 2014 at 23:30 GMT.

We deeply apologise for the concerns that our users have been experiencing due to the attack on BrowserStack. We have determined that the hacker’s access was restricted solely to that list of email addresses. As a precaution, we recommend changing your BrowserStack password.

We are still in the process of sanitisation, and making doubly sure this situation never reoccurs. We are on top of it, and will post updates as they happen.

Thank you for your patience. BrowserStack will be back up in a few hours.

Regards,

Adithya Chadalawada
www.browserstack.com

The site is back up now, with no message on the homepage about any attack.

BrowserStack claims to have more than 25,000 users.

Update 1: Nov. 10:  BrowserStack informs DataBreaches.net:  “All BrowserStack services are now up and running. We are keeping a strong check on our systems and will email all users the entire analysis.”  We have asked them for specific responses to allegations about passwords and ports and will update further when we get a response.


Related:

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Two more entities have folded after ransomware attacks
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Bitcoin holds steady as hackers drain over $40 million from CoinCDX, India's top exchange
Category: Breach IncidentsBusiness SectorHack

Post navigation

← Trust Trumps Privacy In Battle For Patient Health Data
Federal workers weaken cyberdefense →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.