In a security update released on May 16, StackOverflow confirmed that “some level of their production access was gained on May 11”. In a recent “Update to Security Incident” post, Stack Overflow provides further details of the security attack including the actual date and duration of the attack, how the attack took place, and the company’s response to this incident.
According to the update, the first intrusion happened on May 5 when a build deployed for the development tier for stackoverflow.com contained a bug. This allowed the attacker to log in to their development tier as well as escalate its access on the production version of stackoverflow.com.
From May 5 onwards, the intruder took time to explore the website until May 11. Post which the intruder made changes in the Stack Overflow system to obtain a privileged access on production. This change was identified by the Stack Overflow team and led to immediately revoking their network-wide access and also initiating an investigation on the intrusion.
As part of their security procedure to protect sensitive customer data, Stack Overflow maintains separate infrastructure and network for their clients of Teams, Business, and Enterprise products. They have not found any evidence to these systems or customer data being accessed. The Advertising and Talent businesses of Stack Overflow were also not impacted. However, the team has identified some privileged web request that the attacker had made, which might have returned an IP address, names, or emails of approximately 250 public network users of Stack Exchange. These affected users will be notified by Stack Overflow.
Steps taken by Stack Overflow in response to the attack
- Terminated the unauthorized access to the system.
- Conducted an extensive and detailed audit of all logs and databases that they maintain, which allowed them to trace the steps and actions that were taken.
- Remediated the original issues that allowed unauthorized access and escalation.
- Issued a public statement proactively.
- Engaged third-party forensics and incident response firm to assist with both remediation and learnings of Stack Overflow.
- Have taken precautionary measures such as cycling secrets, resetting company passwords, and evaluating systems and security levels.
Stack Overflow has again promised to provide more public information after their investigation cycle concludes.
Many developers are appreciating the quick confirmation, updates and the response taken by Stack Overflow in this security attack incident.
— Peter Zaitsev (@PeterZaitsev) May 18, 2019
A user on Hacker news comments, “I think this is one of the best sets of responses to a security incident I’ve seen:
- Disclose the incident ASAP, even before all facts are known. The disclosure doesn’t need to have any action items, and in this case, didn’t
- Add more details as investigation proceeds, even before it fully finishes to help clarify scope
The proactive communication and transparency could have downsides (causing undue panic), but I think these posts have presented a sense that they have it mostly under control. Of course, this is only possible because they, unlike some other companies, probably do have a good security team who caught this early.
I expect the next (or perhaps the 4th) post will be a fuller post-mortem from after the incident. This series of disclosures has given me more confidence in Stack Overflow than I had before!”
Another user on Hacker News added, “Stack Overflow seems to be following a very responsible incident response procedure, perhaps instituted by their new VP of Engineering (the author of the OP). It is nice to see.”