Protecting Basecamp from breached passwords

Did you receive this email from us today?

Subject: Basecamp 3 security alert: You must set a new password ⚠️

You’re not alone! You’ve done nothing wrong, and you’re in good company. 1 in 20 Basecamp users got this email alert. Here’s the full story.


Last month’s mass-login attack was a sobering reminder that passwords just aren’t cutting it online. It’s getting worse. We all feel it.

Without a password manager app, it’s just impossible to use passwords securely online. Every bank-level secure web site we log into with a super strong password (One of our “main” passwords, maybe? With a ‘4’ instead of an ‘a’, am I right?) is only as secure as the flimsiest fly-by-night.com where we signed up with the exact same password.

When the weakest link gets hacked and fly-by-night.com data is breached, the whole chain falls apart. Anyone can pluck our email and passwords out of the rubble and waltz right through the front door of our other bank-level secure web sites. And who would bat an eye? They’ve got our email and our super strong password. Roll out the red carpet, Ft. Knox.

That’s so frustrating. Any motivated hacker can go grab a giant list of logins stolen in data breaches, scan down the list to look for your email address, maybe find some passwords you’ve used before, and go try to log in to other sites right away. If you reused the breached password on another site—BAM, they’re in as you. It’s that easy.

Ooo, that burns. It’s not right. And what can we do!?

As internet users, there’s much we can do to protect ourselves online. We can start using password managers (like 1Password) for every single site. Every single time. We can use a free password breach notification service like Have I Been Pwned for early warnings of data breaches that could reveal our personal data. And we can take care to enable two-factor authentication (2FA) everywhere it’s available to us, guaranteeing that a breached password won’t be enough to log in on its own.

At Basecamp, there’s much we can do, too. We can require strong, hard-to-guess passwords. We can offer two-factor authentication. But it’s not enough to celebrate sophisticated best practices when our average, everyday passwords are still 100% at risk of data breaches. We can do better.

Dial back a month. After January’s mass-login attack, we asked

  1. How can we put a stop to this attack? We did this! ✅
  2. Now, how can we prevent attacks like this from happening again? 🤔

We can prevent attacks like this—that reuse breached passwords to log in to Basecamp—by keeping breached passwords out of Basecamp in the first place. We can’t get out ahead of every new data breach, but we sure can catch their scent, track them down, and kick them out.

We started by checking that our users aren’t already caught up in a number of high profile, widely available data breaches. We went straight to the source: we scanned the data breaches themselves for user emails, extracted any associated plain-text passwords, and securely checked whether they match user logins.

(We use bcrypt to securely salt & hash passwords, which is a one-way encryption of sorts that’s extremely computationally costly to try to guess. We never compare unencrypted/unhashed passwords, or even have them available in the first place.)

Today we alerted every Basecamp user whose email and password we could find in a data breach, in full view of everyone online, that we removed the unsafe password and disabled login until a new password is set.

Next, we ensured that breached passwords can’t find their way in to Basecamp from here on out. Basecamp now validates that passwords are not breached. For this we thank the fantastic Have I Been Pwned API, a free service provided by a concerned citizen for checking that a password does not appear in its massive, growing trove of known data breaches. Basecamp securely asks whether a password appears in a breach and marks it as invalid if it does. Breached passwords simply aren’t allowed into Basecamp anymore.

Basecamp elbowed out breached passwords today, and we’re keeping them out.

If you received an email alert today, we’re taking a big step together. Start by setting a new Basecamp password. You’ve got this, and we’re here to help.


If you came here wondering whether you just got a phishing email: great instincts! Any email asking you to set a password or mess with your login is super slippery dubious. This is legit. We invite you to email us directly at support@basecamp.com for a gut check about any dubious email.

Permits of passion

There are a lot of hoops to jump and obstacles to climb before starting a new business, but a lack of an all-burning passion for the pursuit shouldn’t be one of them. Yes, it’s easier to keep going when you like what you do, but it’s by no means a requirement to profess your love for the endeavor.

I know it often comes from a good place, this advice. That you should just wait until that magic idea comes along. Not be the fool rushing in. But this romantic idea that there’s the perfect opportunity just waiting out there for you to discover it is a mirage.

Most of business, most of the time, is pretty mundane! I’m not still working at Basecamp because, after nearly twenty years, I just spring out of bed every morning yearning to improve todos, events, messages, or project management in general. I like all those things, but the domain itself isn’t a burning bush of passion.

What working on Basecamp allows me to do is keep at the motions I most enjoy: Writing Ruby, sharing lessons and experiences, building a calm workplace, and being fair in dealings with customers. Those aren’t the only things I enjoy in life, but they’re definitely on the high list.

Thing is. I could have pursued all those things in a different domain than, say, helping businesses cope with growth and putting projects in order at Basecamp. In fact, I have! We’ve made quite a lot of applications at Basecamp over the years. Many related to a similar mission as Basecamp, but not all.

There are lots of reasons for why you’d want to start and run a business. Passion isn’t a permit you need to acquire before setting off.

Finding a mentor

People tend to look for mentors who are too far afield. A mentor who’s 20 or 30 years on in their career. I think this is misguided.

I think most are far better off seeking mentorship from someone who’s just a little bit ahead of them. Someone who’s a year or so in front. Someone who just went through what you’re going through, not someone who went through it a decade ago.

So if you’re starting a brand new business, talk to someone who started theirs a year ago. Or if you’re about to sign your first office lease, talk to someone who just signed theirs. Or if you’re about to hire your first employee, get advice from someone with a two-person company, not 200. I think there’s a good chance the advice will be more helpful.

That’s not to say you can’t learn from an expert in their field, or that you shouldn’t trust anyone who’s been there done that years ago, but that I believe most of your advice should be relevant advice. And relevancy benefits from recency. Memories fade and myths form over time – the closer someone is to the actual events you’re asking them about, the more relevant the advice has a chance to be.

Yes, history has much to teach us, but history also has much to trick us. Last week is a better predictor of this week than last decade would be.


The mindset shift of a manager

Becoming a new manager isn’t merely a change in what you do — it’s a change in how you think.

Becoming a manager for the first time is deceptively difficult.

No matter how many leadership books you’ve read or conversations you’ve had with mentors — the transition to becoming a manager is precarious.

Talk to any leader, and they’ll affirm this. “I was a terrible manager when I first started,” most will say. Myself included!

Keep reading “The mindset shift of a manager”

Basecamp turns 15

Yesterday, February 5th, was Basecamp‘s 15th birthday. As a company we’ve been around for 20 years (we used to be called 37signals), but one random Thursday back in 2004 marked the beginning of Basecamp, the product.

And we launched it right here in this post on this very blog, Signal vs. Noise. The blog looked a lot different then, but the spirit’s the same. And here’s a link to the original home page, as well.

The comments are especially interesting to read after all these years. They give you insight into what a launch is like – uncertainty, “I needs” and immediate feature requests, doubt, praise, questions, etc. Every launch is a mixed bag of emotions and opinions. Ours, potential customers, lovers, haters, etc. But that’s what makes it exciting! No one really knows what’s going to happen. Launch day is the easiest day you’ll ever have – it only gets harder from there on out.

There are so many people to thank. Our 100,000 paying customers, our incredible crew who’ve put in over a million collective hours developing the product, supporting our customers, and keeping the machine humming. It’s truly a continued honor to get to work with such bright, interesting, talented, thoughtful, and kind human beings.

But let’s also recognize that we have luck and fortuitous timing to thank. They are a large part of our success. I didn’t used to think luck played a part. I didn’t believe in timing. It’s easy for your ego to dismiss those things as something you didn’t need because you’re so fucking good. Probably not. Of course I was younger and dumber back then. I’ve since learned that luck and timing play an outsized role in anyone’s success. No need to hide from that. It doesn’t make you less of a person, or less of an entrepreneur, to admit you rode the wave of luck.

So, here’s to continued luck! Let’s make it another 15, 20, 25! Thank you everyone.

Psst: We’re hoping luck and timing come together again later this year.

New in Basecamp: The “My Stuff” Menu

A great thing about the Home screen in Basecamp 3 is that your drafts, bookmarks, and assignments are all easily accessible. Load up Home, click a link, and see all of your assignments or your drafts in one place.

There’s just one problem with this approach: You have to leave whatever you’re doing to get to these links. We wanted to make it easier to find and access these “My…” links, and now you can!

Always available

Inspired by our mobile apps, we’ve removed these links from Home and added a dedicated menu called “My Stuff.” Now, no matter where you are, you can access your important links:

Open the menu and you’ll see your links up top plus a small collection of pages you’ve recently visited inside Basecamp:

Keyboard navigation

While we were building this new menu, we found it so useful that we wanted to use it without taking our hands off the keyboard. Just like the Find menu, we’ve added a keyboard shortcut to open My Stuff:

My Stuff: ⌘/Ctrl + ;
Find: ⌘/Ctrl + /

Once open, you can use your up & down arrows to navigate the links. Choose the link you want and hit Enter to visit that page — no mouse required!

Give it a try!

We hope this update makes it easier to access things like your unpublished drafts, assignments, and Boosts. Let us know what you think!

Thanks again for being a Basecamp customer.

The right amount of perfect

Everybody knows that perfect is the enemy of good, but it’s one of those tenets that’s easy to say and hard to live by. When you’re working on a creative project, there’s almost always something you wanted to do better, or some little detail that didn’t quite live up to your standards. That can be tough to accept.

This is why thoughtful project scoping and timeboxing is so important: if you don’t have a structured process and an end date for your work, you’ll be more likely to wander out into the perfectionist weeds. The farther out you get, the more time you’ve spent—mostly for diminishing returns.

At Basecamp, we protect ourselves against these problems by carefully scoping our projects and scheduling them in 6-week increments. This forces us to keep a regular cadence of shipping new things. Along the way, we have to make tough calls, and give up on always being perfect.

But even with that system in place, there’s still another tricky aspect of perfectionism: what perfect means for one project doesn’t necessarily apply in the same way to another. You have to redefine your standards every time.

Here’s an example.

Keep reading “The right amount of perfect”

How to deal with a micromanaging boss

The 5 reasons why people tend to micromanage in the workplace – and how to manage up, and around them.

I’ve heard the phrase, “I have a micromanaging boss,” more times than I can remember.

I heard it again, just last week. This person asked me, “What do I do? Is there anything I can say to a micromanager? How do I manage up?”

Here’s what I recommended to him…

Keep reading “How to deal with a micromanaging boss”

Yesterday’s mass-login attack on Basecamp is another reminder to protect yourself

Yesterday at 12:45pm central time, our ops team detected a dramatic spike in login requests to Basecamp. More than 30,000 login attempts were made in the hour that followed from a wide array of IP addresses. Our first line of defense was to block the offending addresses, but ultimately we needed to enable captcha to stop the attack.

After the attack was over, we diagnosed that 124 accounts had unauthorized access from the attack. We immediately reset the password for these accounts, logging out any intruders, and emailed the affected account holders with all the relevant information.

All of the unauthorized access was gained using the correct username and password for the account. It’s highly likely that these credentials were obtained from one of the big breaches, like those collected in combos like Collection #1, Anti Public, or Exploit.in. All the affected accounts showed as “owned” on haveibeenpwned.com.

Our preliminary investigation shows that none of the unauthorized access actually performed any actions within the accounts. It seemed like the attack focused on first validating which accounts were vulnerable, perhaps with a plan to later exploit these vulnerable accounts. Thankfully we were able to detect and stop the attack very quickly, and also ensure that any intruders were prevented further access.

Never the less, this is a serious reminder that you should never share the same password between multiple services. Particularly services such as Basecamp that may contain sensitive information. Here’s what we recommend you do to stay safe:

1.) Use a password manager to ensure you’re using different, secure passwords on every service you use. Then if one service is breached, you don’t have to worry about the rest. We use 1Password at Basecamp and recommend it.

2.) Subscribe to a breach notification service, like the one offered by haveibeenpwned.com. Then you’ll be alerted if your credentials are part of hack known to the public.

3.) Turn on two-factor authentication (2FA) wherever you can! We offer 2FA protection for Basecamp using Google Sign-In. Most services that deal with sensitive information offer 2FA these days. It’s especially important that you enable this for critical services, like your email address.

Our ops team will continue to monitor and fight any future attacks. They did an excellent job detecting and addressing this particular attack. But if someone has your username and password, and you don’t have 2FA protection, there are limits to how effective this protection can be.

Protecting yourself against attacks like this is important. Take the time to learn the basics, and take the steps outlined above to limit the risk.

Update: On January 31st, the mass-attack resumed in much greater strength than before. More than 5,000 IP addresses were used to test stolen credentials. 89 proven correct, but no content was accessed on these accounts, and we followed the same procedure of resetting all logins and writing the people affected. We’ve since beefed up our CAPTCHA protection across all applications and all clients, which has been effective at stopping the attack. CAPTCHA isn’t perfect, and some times it’s annoying, but it has provided effective protection against this wave of attack. We continue to work on shoring up defenses, but do follow the steps outlined above to protect yourself!

Kickoffs!

Since our company is itself our most important product, we keep tweaking, experimenting, and – hopefully! – improving the organizational software that makes it run.

Here’s an example of how we refine our process at Basecamp:

Process change posted to our What Works project in Basecamp.

That change then got codified as an update to our How We Work guide in the Basecamp Employee Handbook.