Did you receive this email from us today?
Subject: Basecamp 3 security alert: You must set a new password ⚠️
You’re not alone! You’ve done nothing wrong, and you’re in good company. 1 in 20 Basecamp users got this email alert. Here’s the full story.
Last month’s mass-login attack was a sobering reminder that passwords just aren’t cutting it online. It’s getting worse. We all feel it.
Without a password manager app, it’s just impossible to use passwords securely online. Every bank-level secure web site we log into with a super strong password (One of our “main” passwords, maybe? With a ‘4’ instead of an ‘a’, am I right?) is only as secure as the flimsiest fly-by-night.com where we signed up with the exact same password.
When the weakest link gets hacked and fly-by-night.com data is breached, the whole chain falls apart. Anyone can pluck our email and passwords out of the rubble and waltz right through the front door of our other bank-level secure web sites. And who would bat an eye? They’ve got our email and our super strong password. Roll out the red carpet, Ft. Knox.
That’s so frustrating. Any motivated hacker can go grab a giant list of logins stolen in data breaches, scan down the list to look for your email address, maybe find some passwords you’ve used before, and go try to log in to other sites right away. If you reused the breached password on another site—BAM, they’re in as you. It’s that easy.
Ooo, that burns. It’s not right. And what can we do!?
As internet users, there’s much we can do to protect ourselves online. We can start using password managers (like 1Password) for every single site. Every single time. We can use a free password breach notification service like Have I Been Pwned for early warnings of data breaches that could reveal our personal data. And we can take care to enable two-factor authentication (2FA) everywhere it’s available to us, guaranteeing that a breached password won’t be enough to log in on its own.
At Basecamp, there’s much we can do, too. We can require strong, hard-to-guess passwords. We can offer two-factor authentication. But it’s not enough to celebrate sophisticated best practices when our average, everyday passwords are still 100% at risk of data breaches. We can do better.
Dial back a month. After January’s mass-login attack, we asked
- How can we put a stop to this attack? We did this! ✅
- Now, how can we prevent attacks like this from happening again? 🤔
We can prevent attacks like this—that reuse breached passwords to log in to Basecamp—by keeping breached passwords out of Basecamp in the first place. We can’t get out ahead of every new data breach, but we sure can catch their scent, track them down, and kick them out.
We started by checking that our users aren’t already caught up in a number of high profile, widely available data breaches. We went straight to the source: we scanned the data breaches themselves for user emails, extracted any associated plain-text passwords, and securely checked whether they match user logins.
(We use bcrypt to securely salt & hash passwords, which is a one-way encryption of sorts that’s extremely computationally costly to try to guess. We never compare unencrypted/unhashed passwords, or even have them available in the first place.)
Today we alerted every Basecamp user whose email and password we could find in a data breach, in full view of everyone online, that we removed the unsafe password and disabled login until a new password is set.
Next, we ensured that breached passwords can’t find their way in to Basecamp from here on out. Basecamp now validates that passwords are not breached. For this we thank the fantastic Have I Been Pwned API, a free service provided by a concerned citizen for checking that a password does not appear in its massive, growing trove of known data breaches. Basecamp securely asks whether a password appears in a breach and marks it as invalid if it does. Breached passwords simply aren’t allowed into Basecamp anymore.
Basecamp elbowed out breached passwords today, and we’re keeping them out.
If you received an email alert today, we’re taking a big step together. Start by setting a new Basecamp password. You’ve got this, and we’re here to help.
If you came here wondering whether you just got a phishing email: great instincts! Any email asking you to set a password or mess with your login is super slippery dubious. This is legit. We invite you to email us directly at firstname.lastname@example.org for a gut check about any dubious email.