Security incident, October 2020
I'm writing today about a security incident that may have exposed data from users' Reincubate accounts.
These are the accounts automatically created on our site as users purchased iPhone Backup Extractor or other products. They do not include data from devices or backups, or credit card data.
The data comes from a backup we created in November 2017. We have automatically reset passwords to Reincubate user accounts: these are and always have been securely encrypted. Any accounts created subsequent to that date are unaffected.
The data may include names and email addresses, and — for some users — billing addresses and metadata on usage of our products and services. We have emailed all potentially affected users directly to explain which category they fall into. For the majority, this is limited to name and email address.
What happened
Close to midnight on Sunday, 18 October 2020, we received an anonymous email from an individual claiming that data had been accessed from the Reincubate site through a vulnerability, requesting payment in Bitcoin to head off the information from being published.
When we picked up the report on Sunday morning, we set to work to identify what data was involved, and how it had been obtained. We wrote back to establish whether the individual was reporting the breach under the terms of our responsible security disclosure policy.
As the individual refused to disclose the source of the breach or the means the data had been obtained, and continued to insist on urgent payment to avoid release of the data, we filed a report with the relevant authority in the UK, the Information Commissioner’s Office (ICO). We are following up with the UK’s National Reporting Centre for Fraud and Cyber Crime (Action Fraud). In accordance with UK law we have not and will not pay any extortion requests.
We continued to correspond with the individual to ascertain what data had been compromised. Over the course of several emails, it became clear many of their claims were baseless, as they alleged to have copies of the company’s source code in a format that never existed, code copied from tools that have never been used at Reincubate, types of data we have never stored, and backups of databases and systems from dates and times long after such systems had been decommissioned.
We identified the cause of the breach as a set of AWS credentials which had been leaked in a separate incident at Datadog, a cloud monitoring service we used. We revoked these credentials at the time, but the process we used to revoke them failed, and we failed to double-check that the change had been made successfully. We no longer use Datadog, and the staff member in this role left the business shortly after that incident.
We determined one or more of a small number of database backups dating November 2017 stored in a private Amazon Web Services (AWS) S3 storage bucket had been accessed recently using the leaked credentials. Few backups were present and readily accessible in the bucket, as we migrated away from regular use of S3 for backups that same year, and data was automatically made inaccessible with Amazon's Glacier service. No active systems were affected by the security vulnerability. The data in question is 3 years old.
Through continued communication with the individual, we believe they may intend to publish the limited data they have obtained.
How we’ve responded
We have revoked or rotated all of our AWS credentials. Over the coming weeks, we’ll stop use of AWS S3 for storage of legacy backups. (We stopped moving backups to AWS in 2018 altogether, and almost all of the backups were stored in Amazon's Glacier system and were inaccessible) We plan to completely discontinue use of AWS over the coming months, allowing our operations teams to maintain their focus on improving and securing our services on Google Cloud Platform.
Though we already perform periodic reviews of our usage of cloud computing services, we’re putting in place quarterly reviews of credentials across all systems to ensure unused or potentially exposed credentials are correctly retired. This, coupled with our changes to consolidate our cloud hosting footprint will give our teams a stronger foundation to operate on and minimise the recurrence of such an incident.
Reincubate has published a responsible disclosure policy for several years now, and we continue to work fruitfully with ethical security researchers on an ad-hoc basis. As per our privacy policy, we store very limited data from users, and we will continue to regularly review what data we store and how.
The UK’s Information Commissioner’s Office has not determined we need to communicate this incident to users at this point. However, in accordance with our values, we’ve proactively written to notify users from the affected period, irrespective of whether we believe access was obtained to backups containing their details.
We will continue to update users (and this post) as further information becomes available.