Protecting Basecamp from breached passwords

Did you receive this email from us today?

Subject: Basecamp 3 security alert: You must set a new password ⚠️

You’re not alone! You’ve done nothing wrong, and you’re in good company. 1 in 20 Basecamp users got this email alert. Here’s the full story.


Last month’s mass-login attack was a sobering reminder that passwords just aren’t cutting it online. It’s getting worse. We all feel it.

Without a password manager app, it’s just impossible to use passwords securely online. Every bank-level secure web site we log into with a super strong password (One of our “main” passwords, maybe? With a ‘4’ instead of an ‘a’, am I right?) is only as secure as the flimsiest fly-by-night.com where we signed up with the exact same password.

When the weakest link gets hacked and fly-by-night.com data is breached, the whole chain falls apart. Anyone can pluck our email and passwords out of the rubble and waltz right through the front door of our other bank-level secure web sites. And who would bat an eye? They’ve got our email and our super strong password. Roll out the red carpet, Ft. Knox.

That’s so frustrating. Any motivated hacker can go grab a giant list of logins stolen in data breaches, scan down the list to look for your email address, maybe find some passwords you’ve used before, and go try to log in to other sites right away. If you reused the breached password on another site—BAM, they’re in as you. It’s that easy.

Ooo, that burns. It’s not right. And what can we do!?

As internet users, there’s much we can do to protect ourselves online. We can start using password managers (like 1Password) for every single site. Every single time. We can use a free password breach notification service like Have I Been Pwned for early warnings of data breaches that could reveal our personal data. And we can take care to enable two-factor authentication (2FA) everywhere it’s available to us, guaranteeing that a breached password won’t be enough to log in on its own.

At Basecamp, there’s much we can do, too. We can require strong, hard-to-guess passwords. We can offer two-factor authentication. But it’s not enough to celebrate sophisticated best practices when our average, everyday passwords are still 100% at risk of data breaches. We can do better.

Dial back a month. After January’s mass-login attack, we asked

  1. How can we put a stop to this attack? We did this! ✅
  2. Now, how can we prevent attacks like this from happening again? 🤔

We can prevent attacks like this—that reuse breached passwords to log in to Basecamp—by keeping breached passwords out of Basecamp in the first place. We can’t get out ahead of every new data breach, but we sure can catch their scent, track them down, and kick them out.

We started by checking that our users aren’t already caught up in a number of high profile, widely available data breaches. We went straight to the source: we scanned the data breaches themselves for user emails, extracted any associated plain-text passwords, and securely checked whether they match user logins.

(We use bcrypt to securely salt & hash passwords, which is a one-way encryption of sorts that’s extremely computationally costly to try to guess. We never compare unencrypted/unhashed passwords, or even have them available in the first place.)

Today we alerted every Basecamp user whose email and password we could find in a data breach, in full view of everyone online, that we removed the unsafe password and disabled login until a new password is set.

Next, we ensured that breached passwords can’t find their way in to Basecamp from here on out. Basecamp now validates that passwords are not breached. For this we thank the fantastic Have I Been Pwned API, a free service provided by a concerned citizen for checking that a password does not appear in its massive, growing trove of known data breaches. Basecamp securely asks whether a password appears in a breach and marks it as invalid if it does. Breached passwords simply aren’t allowed into Basecamp anymore.

Basecamp elbowed out breached passwords today, and we’re keeping them out.

If you received an email alert today, we’re taking a big step together. Start by setting a new Basecamp password. You’ve got this, and we’re here to help.


If you came here wondering whether you just got a phishing email: great instincts! Any email asking you to set a password or mess with your login is super slippery dubious. This is legit. We invite you to email us directly at support@basecamp.com for a gut check about any dubious email.


Enjoy this post? Get SvN updates delivered straight to your inbox.

No spam, no fluff — just one email every week with the latest posts.

49 thoughts on “Protecting Basecamp from breached passwords

    1. No. If you login via Google, we don’t have a hash of your password. And if you have 2FA activated via Google, you’re safe anyway 👍

  1. Hey there 👋🏼,

    At our company, we do not use anything Google related and would like to keep it that way, not because we think we are better than everyone else, but because alternatives that suit us better.

    With that in mind, will we be able to set up 2FA without using a Google Account at some point? And while we are at it, it would also be great to be able to force users to set that up, disable registration through Google Account and use, say, a YubiKey for 2FA.

    I believe options like those would go a long way to protect users from attacks like the one from last month.

    1. Strongly sympathetic to that. Google provides top-class login security, but we’d very much like to bring 2FA back in-house. 👍🏼

  2. A clever idea and a cool thing.

    May I ask how you identified leaked passwords?
    I think it shouldn’t be possible using the haveibeenpwned API except for the moment a user logs in.
    Do you have breaches with cleartext passwords available? If so, how can they be obtained?

    1. It is clear to me how it works on the fly. I was probably not explicit enough about what my question is.

      As Basecamp sent a mail to inform affected users about leaked passwords, they must be able to check the user credentials in the database against the Have I Been Pwned list. And I wonder how they managed to do this.

      The pwned passwords are only available as SHA-1 hashes, so unless one has a rainbow-table for all ~500 million passwords I have no clue how to check that without having the users clear-text password or its SHA-1 value (which we should not have) at hand.

    2. Jonas, that’s right: We went to the source by tracking down some of the recent mega combo lists and hashing the cleartext credentials therein. Not going to get into details here, but a bit of searching will lead you to discussion (forum posts) and downloads (typically torrents).

  3. It would be nice if Basecamp made it simple to change a password. I attempted to change mine right after the breach, but no, I’m still showing the same password as before even though I requested a new one.

  4. Hello – thanks for the update.

    It would have been handy to have the last third of the message at the top so any required action was clear, like Jason’s one from a few weeks back.

    I have a 16 digit passcode generated by 1Password (trying to gradually force myself into good habits…) but I didn’t know what action was required for me or my company until skipping through to the end.

    Thank you for the transparency and update though, as usual, and best wishes 🙂

  5. This is really not a good approach to MFA. Forcing all of your users to switch to using Google logins? What about your corporate customers who don’t use G Suite? I can’t ask all of my users to go out and set up institutional Gmail accounts just to get access to Basecamp; they need to access the system using their institutional logins. You should do what every other reputable system is doing these days and incorporate app-based or hardware-based MFA directly into your authentication system. It’s not hard, and it would make MFA adoption much, much easier than forcing everyone to use a Google account.

    1. Hi Ben,

      You’re absolutely right about the advantages of adding our own in-house 2FA, though I will push back a bit on the “it’s not hard” part. This is incredibly serious stuff and we’re committed to being responsible for anything we implement. At the moment, Google’s 2FA is a very good option for our customers who want extra security.

    1. We don’t check at login yet, but plan to. When you set or change your Basecamp password, we take some steps to ensure that it’s strong. We only allow passwords that are:

      8+ characters long with at least 1 number.
      Not the same as your username or email address.

      Additionally, we check your password against high-profile public breaches of other services.

    2. Maybe make the minimum length longer? 8 characters? Why not 24? Or 48? If we’re all using a password manager as recommended, length need not be an issue.

  6. So if you didn’t receive an email about this are we safe to continue? I changed our password when we received the message about the mass breach. Not sure if I need to do this again.

    LMK.
    THX-1138

  7. Can’t begin to tell you how much I appreciate your concern for our security on BC. Thanks for all you’re doing now and for looking for new ways to deepen security in the future.

  8. Hi, a few month ago I used a website with only the “second” factor. You register with your email and phone number. When logging in, you enter your email and the last 4 digits of your phone number. You then get a pin on your phone. No need for a password ever. It feels weird at first but I find it easier and more secure than a password manager.

    1. What if you’re subsequently a victim of SIM card fraud? Now you can’t log into anything because someone has stolen your phone number.

      Furthermore, NIST (National Institute of Standards and Technology – they set the standards for this sort of stuff) no longer recommend using SMS for two-step/ two-factor authentication as SMS is not secure.

      It’s trivial to intercept a text message and become a victim of a man-in-the-middle attack. You still have your phone number, but someone is reading your text messages before they reach your phone.

      The absolute safest bet is to use a password manager like 1Password, LastPass, or KeePass. Nothing is more secure.

  9. The honesty and transparency you’ve offered here is refreshing and unfortunately not the norm with other companies seeing incidents like these. Basecamp users have a great team behind them.

    1. To check all users, we went straight to the source and scanned a number of recent large breaches ourselves. We use HIBP to validate password changes.

  10. Maybe a good idea would be to show / explain how to change pass in the first place.. I’ve now been looking for 5 minutes in adminland and still no clue…

  11. What is the security level of this API you plan on using? What if they get hacked and now all email and password combinations are being sent to it to validate? I am sure you all thought about it and validated them before implementing this but just curious on how robust is this API?

  12. Hi Basecamp,

    I only registered on Feb 5th so why do I have to change my password from a breach that happened in January? Plus as suggested above; I registered via a Google account?

  13. I am not happy at all that when I change my password it is automatically sent to a third party website to be checked, whether it is hashed or not. I don’t see that information in your privacy documentation. You would be better downloading the password files from HaveIbeenPwned and then scanning against them in your own database so no data leaves your website. I think you may have legality issues with this otherwise. I do appreciate the extra security step but not how it has been implemented.

    1. Hey Stephen,

      We don’t ever send your password anywhere, hashed or not. The HaveIBeenPwned API accepts the first 5 characters of the SHA1 hash of the password, and returns a list with all the suffixes. We can then compare on our side, without ever revealing the full hash. This is described here: https://haveibeenpwned.com/API/v2#PwnedPasswords.

      We’re only sending 1/8th of a SHA1 hash of the password, which doesn’t provide enough information to reverse into the password itself. If you’d like a deeper dive into this use of a k-anonymity model, these posts are great: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ and https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/

      We’re mindful of the caveats with this approach, and are keeping a weather eye on how we approach this!

  14. I’m sure I signed off on this when filling out the user agreement and I’m not personally upset about it, but I can see how someone could be mad you provided their email address to a 3rd party to check if its been pwned. Again, I don’t mind and I trust that website/service, but I’m curious if anybody’s going to be upset.

    1. We downloaded the raw data breaches and scanned them offline. No email addresses were sent to Have I Been Pwned.

    2. George: Thanks for the reply, I see now where I made an assumption. Sorry about that.

      Jeremy: Ah, ok, thanks!

  15. I received this e-mail. I don’t understand how I can be in a breach. I was invited by my company to join BC on Jan 28th of this year (basically my account is less than a month old). I signed up using a fresh e-mail address with a password > 32 characters in length all random (generated by my password manager). What breach could I possibly be in? Is the NSA involved?

Leave a Reply

Your email address will not be published. Required fields are marked *