On January 28th 2020, Khoros suffered an attack on its Social Marketing platform. Below summarizes what happened, how Khoros contained the threat, and what we have done to safely restore our customers to service.
On Tuesday afternoon, Khoros observed suspicious activity in the Khoros Marketing platform that triggered an immediate investigation by our engineering team, resulting in our decision to temporarily shut down the platform.
This attack was preceded by an independent incident on Monday, when we helped a customer recover from a malicious social attack. On Tuesday, we became the target ourselves. We took swift and decisive action upon identifying the intrusion, and shut down access to the platform. With the platform locked down, we conducted a thorough root cause analysis and we identified the issue. The issue is now resolved, and Khoros Social Marketing, Intelligence, Experience, Vault and Promotions products are back online.
What was the nature and impact of the suspicious activity?
On Tuesday 1/28, the malicious actor exploited a vulnerability with a password reset code in the Khoros Marketing Platform and were able to access a small number of user accounts. No passwords were compromised.
How widespread was the impact?
Based on a thorough review of activity logs across the platform, we have determined that the bad actor was able to access a very small number of Khoros Marketing customer accounts. Per the above, no passwords were compromised. Khoros has communicated directly with all impacted customers.
We shut down the platform as a precaution as we pursued resolution; as a result Social Marketing and Vault customers were unable to use the platform from late afternoon on Tuesday until Thursday afternoon CST. Intelligence, Experiences, and Promotions customers regained access Friday night CST.
How are we certifying that the vulnerability has been thoroughly resolved?
Khoros has engaged an independent third party to complete a pentest on the platform, certifying that the vulnerability has been addressed.
Was Khoros Care or Khoros Community affected?
Absolutely no data in Khoros Community or Khoros Care (including the CRM integration) was impacted by the incident in Khoros Marketing solution. Any cross-platform ties were severed during the investigation.
What specific actions did Khoros take?
Suspended customer access to the Khoros Marketing platform
Communicated to customers via status.khoros.com updates, customer Atlas Marketing blog updates, and email communication to all Khoros Marketing company admins
Khoros reset all passwords for all users across Khoros Marketing and has increased password complexity requirements
Khoros has accelerated multi-factor authentication and is expected as an obligatory sign-in measure within the next two weeks
Directly emailed all customer admins to communicate updates on the vulnerability and when access was restored to the Khoros Marketing platform
Only enabled users across verified domains and requested each company’s administrators to re-enable other users
When will Khoros Marketing be restored to service?
All Khoros Marketing Platform products are back online and restored to service.
Is the Khoros Marketing platform still ingesting data?
Khoros Marketing has continued to ingest data from all authenticated social channels during the shutdown.
Was my scheduled content saved in the system? Did content auto-publish when Khoros Marketing was brought back online?
All previously scheduled content and workflows were saved in Social Marketing.
Content which was scheduled to be sent while the Social Market platform was offline was placed in an error state, and was not published.
All other outbound content and moderation was Paused by default, in order to ensure your company could make any needed adjustments to the Content Calendar before resuming activities.
How can I resume publishing and moderation activities in Social Marketing?
Administrators can only resume activity for the Initiatives they have access to.
Option 1: Resume all moderation and publishing activity - Click ‘Resume All Publishing’ to resume activity for all visible initiatives in the list.
Option 2: Resume moderation activity only - Click ‘Resume All Publishing’. Then, for any initiative which you only wish to allow moderation activity to occur from, click the Pause icon in it’s associated row. This will disable publishing, but continue to allow moderation to occur.