BrowserStack is a cross-browser testing tool that allows its 25,000 customers to test their websites on over 700 different web browsers across various desktop operating systems and mobile platforms. It claims to have some big guns like Microsoft, GitHub, eBay, Adobe, MIT, VISA, and Wikipedia as customers.
The fact that BrowserStack was hacked became known after customers received an email that reads like it’s from a disgruntled employee, meaning the claims may not be true. Back in September, the FBI and DHS issued a warning about seeing a significant uptick in insider threats, costing victim businesses from $5,000 to $3 million. There's a chance the claims could be true and the email was the hacker’s breach notification preference. A copy of the email is on Pastebin:
Dear BrowserStack User,
We are unfortunately displeased to announce that BrowserStack will be shutting down. After much consideration on our part, we have realized we were negligent in the services we claimed to offer. In our terms of service, we state the following:
[...] after the restoration process is complete, the virtual machines are guaranteed to be tamper-proof.
[...] The machines themselves are in a secure network, and behind strong firewalls to present the safest environment possible.
[...] At any given time, you have sole access to a virtual machine. Your testing session cannot be seen or accessed by other users, including BrowserStack administrators. Once you release a virtual machine, it is taken off the grid, and restored to its initial settings. All your data is destroyed in this process.
Unfortunately, we have blatantly lied. Not only do all of our administrators have access, but so does the general public. We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password "nakula" on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched ("c0stac0ff33").
Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised. These passwords take no less than 15 minutes to find for anyone who is looking.
We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.
The BrowserStack Team
When worried customers checked out the site to see if it was shutting down, they saw a standard maintenance notice:
We’ll be back soon! Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!
“BrowserStack is not shutting down,” the company told DataBreaches.net. “An attacker gained access to a list of user email addresses on BrowserStack on 9 November, 2014 at 23:30 GMT.” The response mentioned sanitization to make “doubly sure this situation never reoccurs,” but added, “We have determined that the hacker’s access was restricted solely to that list of email addresses. As a precaution, we recommend changing your BrowserStack password…. We are on top of it, and will post updates as they happen.”
The company issued a similar update via a tweet:
One big update is that the site is back up, but there is no notification of the hack on BrowserStack’s site.
Regarding some of the actual claims, I had an issue a year back when I logged into a session, and could perfectly see another user's session in progress, internal URL in the browser, mouse moving around. I freaked out, watched for 3-4 seconds, and then got kicked out of the session.
After reporting the issue, BrowserStack claimed it had “fixed the root cause.” Other Hacker News’ commenters also reported experiencing security-related issues while using the site.
BrowserStack has since taken to Twitter to say the company intends to post a “post-mortem of the attack.”
Whether or not that goes up on BrowserStack’s site remains to be seen, as a different tweet claimed, “We will email all users with the entire analysis soon.”