View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 1, 2019

Basecamp Fights Off Mass Login Attempt With Quick Cyber Response

“If someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.”

By CBR Staff Writer

Chicago-based web application developers Basecamp successfully mitigated a mass-login attempted on their network by attackers using stolen email and password information.

Threat actors instigated a credit stuffing attack against Basecamp’s website, which over the course of an hour experienced more than 30,000 login attempts. The IP addresses associated with the malicious access attempts came from a wide array of global locations.

In response to the attack Basecamp began blocking the offending IP addresses. However, the flood of login attempts was too much, so they were forced to initiated a captcha test on the login process which held back the tide.

In the aftermath of the attack Campbases ran a diagnostic and found that only 124 accounts had been accessed by unauthorised users.

Writing in a blog about the cyber incident Basecamp CTO David Heinemeier Hansso detailed their response stating that once the attack was over: “We immediately reset the password for these accounts, logging out any intruders, and emailed the affected account holders with all the relevant information.”

Basecamp Says They Can Only Do So Much

The attackers had gained access via valid login credentials most likely obtained in a breach and then sold online much like the Collection #1 cache of credentials recently discovered.

The preliminary investigation into the hack found that none of the accounts which had been accessed had any actions preformed within them. This is consistent with the nature of a credit stuffing attack were an automated login process tries thousands of email and password combinations in order to see which ones are still valid.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

David Heinemeier Hansso commented that their: “Ops team will continue to monitor and fight any future attacks.”

He praises the in-house cybersecurity team for their quick and effective cyber response, but he warns users that: “If someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.