As many of you know, the Khoros Marketing platform was recently the target of a malicious security attack by a well-known bad actor. We know it’s been a difficult couple of weeks for our customers, and we are grateful for your patience and partnership — we are stronger because of it. In the spirit of that partnership, we want to share a comprehensive summary of recent events so you have the full context of what happened, the steps we took, and our preventative steps to protect your brand even further in the future.
On Monday, January 27, we helped a customer recover from a phishing attack on their social properties by a bad actor. On Tuesday, January 28th, the same bad actor returned and exploited a vulnerability in our password reset function. We moved quickly once we identified the issue and shut down access to the platform. We fixed the vulnerability, executed a series of extensive security protocols to ensure that the threat was contained, and restored access to the platform. The platform was down for two days, which we know was a disruption for our customers. We acted with the protection of your brands as our foremost priority because that is our commitment to you.
When the bad actor infiltrated our platform, they only accessed a small number of our customer accounts. We notified those customers and have been in close communication with them. Given that we do not store phone numbers or passwords on our platform, the information that the attacker was able to access from this small number of accounts was limited to names and email addresses used to access the software.
After restoring access to the Khoros Social Marketing platform on Thursday, January 30, we rapidly worked to enhance our security protocols in the system. Immediate enhancements included enforcing password complexity, and mandatory multi-factor authentication (MFA), which was rolled out to Marketing customers on February 5. We hoped to put this incident behind us and get back to the business of helping you succeed. However, just one week later on February 7, the bad actor successfully phished multiple Marketing customer accounts. Given the recency of the prior incident, we made the difficult decision to suspend access to the platform for a second time.
This second incident was not a security issue. The access was gained through a sophisticated and targeted social engineering and phishing attack on our customers. And while preventing phishing is extremely complicated, we, in part, chose to take the extraordinary step of bringing the system down with the second incident because we saw an opportunity to quickly build software functionality to help us detect a phished account based on observed behaviors. Plus, automate actions that severely limit a phished account’s functionality.
Several have asked if the phishing attack from the second incident means that MFA failed. It did not. MFA still requires human intervention to enter passcodes and can, therefore, still be exploited by sophisticated phishing. Teams must stay vigilant about all mediums of communication (mobile, text, phone, personal social media, email, etc.), as phishing comes in many forms. We will continue to support you on this front, and please know that your Khoros team is committed to being a resource for you on managing this risk.
As always, we acted with our customers’ security as our foremost concern, but we realize that suspending system-wide access, while the most conservative approach, is too disruptive and not sustainable. With improved security, monitoring and threat mitigation processes, we are confident that, going forward, an issue with one customer will not require a disruption to other customers and their businesses.
We know the past few weeks have caused major disruptions for our Marketing customers, and we appreciate your patience and trust in us while we worked to get you back online as safely and quickly as possible. To help make this right, we have offered a software service credit to current customers whose access was disrupted.
If you have any additional questions or want to speak to someone at Khoros directly, we continue to encourage you to reach out to your account team. For any security-related issues, please email security@khoros.com, and for platform support, please email support@khoros.com.
