This is an important security notice from the Mollom team. On August 21, we identified a breach of one of our Mollom servers. Our subsequent investigation showed that unauthorized users gained access to Mollom servers and were potentially able to access Mollom data. Today we have closed the security loophole used to gain access and taken measures designed to prevent future breaches.
Data that may have been compromised includes usernames, account contact information, passwords, Mollom public and private keys, and billing transaction logs. PayPal account information was NOT stored on the affected servers.
At this time, we have no evidence that any malicious activity took place with customer data. To help assure this continues to be the case, in addition to the measures described above, we have changed all Mollom user account passwords.
What You Need to Do
Because we have reset all of the Mollom user account passwords to access the Mollom administrative interface, you will need to reset your password using this URL:
In keeping with security best practices, if you have used your Mollom.com user account password for other sites on the Internet, it is recommended for you to change it in those places.
What We are Doing to Prevent Future Breaches
The security of the Mollom platform is of paramount importance to us. We are conducting a thorough review of our procedures and will be arranging additional external security audits above and beyond our normal schedule to further test our security measures and give you peace of mind. Check back here for updates as they become available.
The Mollom Team
2013-08-24 01:12 CEST:
A recent security notice that we delivered in an email was mistakenly sent in HTML. This notice contained several redirected links. We have received queries regarding the authenticity of the email, but please be assured that the information on this page is accurate. We apologize for any confusion that our notice may have caused.
The Mollom team has identified unauthorized access to user information on Mollom.com, which occured via third-party software installed on the Mollom.com server infrastructure.
What information of mine was exposed?
The information includes usernames, account contact information, encrypted passwords, Mollom public and private keys, and billing transaction logs. PayPal account information was NOT stored on the affected servers.
However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.
Was my PayPal account information or credit card information exposed?
We do not store PayPal account information or credit card information on our site and have uncovered no evidence that credit card numbers may have been intercepted. We will notify you if we learn in the course of completing our investigation that other types of information may have been compromised.
How did the access happen?
Unauthorized access was made via third-party software installed on the Mollom.com server infrastructure, and was not the result of a vulnerability within Drupal. We are still investigating and will share more detail when it is appropriate.
Was the integrity of Mollom.com’s content quality evaluation system affected by this unauthorized access? Did any spam / malicious content get through?
No, this breach has not affected the content quality evaluation system and the core Mollom.com services continue uninterrupted except for some short necessary downtimes for security upgrades.
Do I need to change my password? How do I change my password?
All Mollom passwords have already been reset. You need to set up a new password using this URL:
http://mollom.com/user/password - Please do not use your old password.
Do I need to do anything regarding my Mollom public and private keys?
No, you can continue to use your current Mollom public and private keys while we continue to investigate. The core Mollom.com services will continue uninterrupted. The Mollom team will contact you in the future if there is a need to update your keys.
What has been done to prevent this type of unauthorized access in the future?
There have been several infrastructure and application changes including:
- The Mollom.com team has rebuilt the affected core Mollom.com server and has disabled the third-party application that led to to the unauthorized access
- An external automated security audit was performed
- An external security firm was engaged to perform a detailed audit of the Mollom.com infrastructure
- We have reset all Mollom.com user account passwords and increased the strength of the password encryption system
Do you have any information about the identity of the person or group who did this?
At this point there is no information to share.
What is the Mollom.com team doing to investigate the unauthorized access?
We have a forensics team made up of Mollom staff and outside security experts investigating.
What else can I do to protect myself?
First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords to your old Mollom password, even though all passwords on Mollom.com are hashed. To make your password more secure:
- Do not use passwords that are simple words or phrases
- Never use the same password on multiple sites or services
- Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).
Second, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by e-mail. Also, beware of e-mails that threaten to close your account if you do not take the "immediate action" of providing personal information.
Although we do not store credit card information, as a precaution we recommend that you closely monitor your financial accounts if you use a password with your financial institution that is similar to your Mollom.com password. If you see unauthorized activity, you should immediately contact the financial institution. You may obtain additional information about responding to identity theft from the Federal Trade Commission ("FTC") by calling 1-877-ID-THEFT (1-877-438-4338) or on the web at: http://www.consumer.ftc.gov/features/feature-0014-identity-theft
Based on the results of the investigation into this incident, we may update the FAQs and may recommend additional measures for protecting your personal information.
How will I be informed of future updates?
As information becomes available, we will post that information on http://mollom.com/blog/security-notice-august-2013