Security Experts:

PagerDuty Warns Customers of Data Breach

San Francisco-based operations performance management company PagerDuty informed customers on Thursday that its systems were breached earlier this month.

According to Andrew Miklas, PagerDuty co-founder and CTO, the intrusion was detected on July 9 and the attack was blocked within a few hours. An investigation revealed that the attacker managed to bypass multiple layers of authentication and gained access to an administrative panel provided by one of the company’s hosting providers.

This allowed the attacker to log into a replica of a PagerDuty database containing users’ names, email addresses, password hashes, and public calendar feed URLs. Miklas says there is no evidence that the attacker gained access to corporate, financial, technical, or sensitive user information.

“As you know, we do not collect customers’ social security numbers and we do not store or have access to customer credit card numbers. This incident also had no impact on our ability to provide services to our customers,” Miklas said in a blog post.

The company believes it’s unlikely that the attacker will manage to crack the passwords because they have been hashed using unique, randomly generated 40-character salt and pepper, and there is no evidence that the attacker accessed the pepper.

“If you have logged into your account since January 1, 2015, your password is hashed with Bcrypt with a work factor of 10, using a per-user randomly generated salt and a site-wide pepper,” PagerDuty told customers. “Older passwords are hashed with SHA-1 stretched over multiple rounds and using the same salt and pepper approach.”

Nevertheless, the company is asking customers to change their passwords as a precaution. Those who don’t change their passwords until August 3 will be logged out from their accounts and they will receive an email prompting them to change their password. Customers are also advised to reset calendar feed URLs, which provide a read-only calendar of when they are on-call, and revoke and re-add access to mobile devices linked to PagerDuty accounts.

Users have also been advised to keep an eye out for phishing attempts that might leverage stolen names and email addresses.

PagerDuty has called in a cyber security forensics firm to investigate the breach. An investigation is also being conducted by law enforcement.

The company says it has enhanced its monitoring and detection capabilities following the incident.

PagerDuty provides organizations alerting, on-call scheduling, escalation policies and incident tracking to help them increase the uptime of their websites, apps, databases and servers. The company’s customer list includes Adobe, Airbnb, Pinterest, Etsy, GitHub, Intuit, National Instruments, the Wikimedia Foundation, Panasonic, Evernote and Rackspace.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.