Blog Post

Release Notes
3 MIN READ

Khoros Marketing: January Incident Summary and FAQ UPDATED 2/2/2020

SofiaP's avatar
SofiaP
Khoros Alumni (Retired)
5 years ago

On January 28th 2020, Khoros suffered an attack on its Social Marketing platform. Below summarizes what happened, how Khoros contained the threat, and what we have done to safely restore our customers to service.

Summary

On Tuesday afternoon, Khoros observed suspicious activity in the Khoros Marketing platform that triggered an immediate investigation by our engineering team, resulting in our decision to temporarily shut down the platform. 

This attack was preceded by an independent incident on Monday, when we helped a customer recover from a malicious social attack. On Tuesday, we became the target ourselves. We took swift and decisive action upon identifying the intrusion, and shut down access to the platform. With the platform locked down, we conducted a thorough root cause analysis and we identified the issue. The issue is now resolved, and Khoros Social Marketing, Intelligence, Experience, Vault and Promotions products are back online.

What was the nature and impact of the suspicious activity? 

On Tuesday 1/28, the malicious actor exploited a vulnerability with a password reset code in the Khoros Marketing Platform and were able to access a small number of user accounts. No passwords were compromised.  

How widespread was the impact? 

Based on a thorough review of activity logs across the platform, we have determined that the bad actor was able to access a very small number of Khoros Marketing customer accounts.  Per the above, no passwords were compromised. Khoros has communicated directly with all impacted customers.

We shut down the platform as a precaution as we pursued resolution; as a result Social Marketing and Vault customers were unable to use the platform from late afternoon on Tuesday until Thursday afternoon CST. Intelligence, Experiences, and Promotions customers regained access Friday night CST.

How are we certifying that the vulnerability has been thoroughly resolved?

Khoros has engaged an independent third party to complete a pentest on the platform, certifying that the vulnerability has been addressed.

Was Khoros Care or Khoros Community affected? 

Absolutely no data in Khoros Community or Khoros Care (including the CRM integration) was impacted by the incident in Khoros Marketing solution. Any cross-platform ties were severed during the investigation.

What specific actions did Khoros take?

  • Suspended customer access to the Khoros Marketing platform 
  • Communicated to customers via status.khoros.com updates, customer Atlas Marketing blog updates, and email communication to all Khoros Marketing company admins 
  • Khoros reset all passwords for all users across Khoros Marketing and has increased password complexity requirements
  • Khoros has accelerated multi-factor authentication and is expected as an obligatory sign-in measure within the next two weeks
  • Directly emailed all customer admins to communicate updates on the vulnerability and when access was restored to the Khoros Marketing platform
  • Only enabled users across verified domains and requested each company’s administrators to re-enable other users

When will Khoros Marketing be restored to service?  

All Khoros Marketing Platform products are back online and restored to service.

Is the Khoros Marketing platform still ingesting data?

Khoros Marketing has continued to ingest data from all authenticated social channels during the shutdown. 

Was my scheduled content saved in the system? Did content auto-publish when Khoros Marketing was brought back online?

All previously scheduled content and workflows were saved in Social Marketing. 

  • Content which was scheduled to be sent while the Social Market platform was offline was placed in an error state, and was not published.
  • All other outbound content and moderation was Paused by default, in order to ensure your company could make any needed adjustments to the Content Calendar before resuming activities.

How can I resume publishing and moderation activities in Social Marketing?

Administrators can only resume activity for the Initiatives they have access to.

Once you have reviewed existing content and are happy to resume activity, Company Administrators (or users with advanced administrative roles), have two options in the Pause Publishing screen, accessible via https://admin.spredfast.com/company-settings/pause-publishing:

  • Option 1: Resume all moderation and publishing activity - Click ‘Resume All Publishing’ to resume activity for all visible initiatives in the list.

  • Option 2: Resume moderation activity only - Click ‘Resume All Publishing’. Then, for any initiative which you only wish to allow moderation activity to occur from, click the Pause icon in it’s associated row. This will disable publishing, but continue to allow moderation to occur.

Who can I contact if I have more questions?

For further questions, please contact khorosmarketingplatform@khoros.com. All media inquiries should be directed to pr@khoros.com 

Updated 7 months ago
Version 5.0

2 Comments

  • A few questions:

     

    • If you guys have identified the issue, why couldn't you resume operations for everyone but the accounts impacted?
    • Why weren't we warned sooner that the platform was going to be suspended for over 24 hours?
    • For those who need access to their publishing calendar, are you considered an offline mode?
    • For those who run customer service departments out of Khoros Marketing, are you aware that when we have a team of social agents that we use this platform to avoid giving native access to our social accounts? I'm in one of our two biggest peaks of the season for customer service and we have clients that we can't assist. This goes just beyond disappointing Khoros' clients. This impacted the clients of our business in a way we can't ever make up to them. 
    • What steps are you taking to make sure this doesn't happen again? If this was the fault of the third-party app, how are you addressing this with the 3rd party app that caused the breach and making sure the others don't provide vulnerabilities? 
    • What steps are you taking to ensure a better communication process in the future before suspending operations?

    I'm severely disappointed in the lack of communication before taking down the platform. 

     

  • SofiaP's avatar
    SofiaP
    Khoros Alumni (Retired)
    5 years ago

    joedavis34 , we are keenly aware of the magnitude of this disruption. Please know that the severity and speed of our action matched the threat. We can say with certainty that the impact of this event to our customers was as limited as it was due to the forced outage.   

    We know that running customer service natively is incredibly challenging, particularly during peak season and we like the opportunity to help you recover. We will reach out to you privately to discuss next steps.