Showing results for 
Show  only  | Search instead for 
Did you mean: 

Khoros Marketing: January Incident Summary and FAQ UPDATED 2/2/2020

Khoros Alumni (Retired)

On January 28th 2020, Khoros suffered an attack on its Social Marketing platform. Below summarizes what happened, how Khoros contained the threat, and what we have done to safely restore our customers to service.


On Tuesday afternoon, Khoros observed suspicious activity in the Khoros Marketing platform that triggered an immediate investigation by our engineering team, resulting in our decision to temporarily shut down the platform. 

This attack was preceded by an independent incident on Monday, when we helped a customer recover from a malicious social attack. On Tuesday, we became the target ourselves. We took swift and decisive action upon identifying the intrusion, and shut down access to the platform. With the platform locked down, we conducted a thorough root cause analysis and we identified the issue. The issue is now resolved, and Khoros Social Marketing, Intelligence, Experience, Vault and Promotions products are back online.

What was the nature and impact of the suspicious activity? 

On Tuesday 1/28, the malicious actor exploited a vulnerability with a password reset code in the Khoros Marketing Platform and were able to access a small number of user accounts. No passwords were compromised.  

How widespread was the impact? 

Based on a thorough review of activity logs across the platform, we have determined that the bad actor was able to access a very small number of Khoros Marketing customer accounts.  Per the above, no passwords were compromised. Khoros has communicated directly with all impacted customers.

We shut down the platform as a precaution as we pursued resolution; as a result Social Marketing and Vault customers were unable to use the platform from late afternoon on Tuesday until Thursday afternoon CST. Intelligence, Experiences, and Promotions customers regained access Friday night CST.

How are we certifying that the vulnerability has been thoroughly resolved?

Khoros has engaged an independent third party to complete a pentest on the platform, certifying that the vulnerability has been addressed.

Was Khoros Care or Khoros Community affected? 

Absolutely no data in Khoros Community or Khoros Care (including the CRM integration) was impacted by the incident in Khoros Marketing solution. Any cross-platform ties were severed during the investigation.

What specific actions did Khoros take?

  • Suspended customer access to the Khoros Marketing platform 
  • Communicated to customers via updates, customer Atlas Marketing blog updates, and email communication to all Khoros Marketing company admins 
  • Khoros reset all passwords for all users across Khoros Marketing and has increased password complexity requirements
  • Khoros has accelerated multi-factor authentication and is expected as an obligatory sign-in measure within the next two weeks
  • Directly emailed all customer admins to communicate updates on the vulnerability and when access was restored to the Khoros Marketing platform
  • Only enabled users across verified domains and requested each company’s administrators to re-enable other users

When will Khoros Marketing be restored to service?  

All Khoros Marketing Platform products are back online and restored to service.

Is the Khoros Marketing platform still ingesting data?

Khoros Marketing has continued to ingest data from all authenticated social channels during the shutdown. 

Was my scheduled content saved in the system? Did content auto-publish when Khoros Marketing was brought back online?

All previously scheduled content and workflows were saved in Social Marketing. 

  • Content which was scheduled to be sent while the Social Market platform was offline was placed in an error state, and was not published.
  • All other outbound content and moderation was Paused by default, in order to ensure your company could make any needed adjustments to the Content Calendar before resuming activities.

How can I resume publishing and moderation activities in Social Marketing?

Administrators can only resume activity for the Initiatives they have access to.

Once you have reviewed existing content and are happy to resume activity, Company Administrators (or users with advanced administrative roles), have two options in the Pause Publishing screen, accessible via

  • Option 1: Resume all moderation and publishing activity - Click ‘Resume All Publishing’ to resume activity for all visible initiatives in the list.



  • Option 2: Resume moderation activity only - Click ‘Resume All Publishing’. Then, for any initiative which you only wish to allow moderation activity to occur from, click the Pause icon in it’s associated row. This will disable publishing, but continue to allow moderation to occur.




Who can I contact if I have more questions?

For further questions, please contact All media inquiries should be directed to 


I think the situation was handled appropriately regardless of the temporary discomfort experienced. The safety and security of customers and clients should always be FIRST and given the space we all navigate there is a TON of reputational risk to associated with compromises of this nature. Great job Khoros leadership, engineers, staff, etc for your decisive action, regular communication and speedy recovery of the platform. 

@rsabreeI agree completely.

Thank you Khoros for keeping up safe from attackers and also for the constant stream of communication during the crisis.


Thank you for keeping this contained and under control - security always comes first!  Fingers crossed we won't have a like situation for a long time.  

Version history
Last update:
‎07-17-2020 08:57 AM
Updated by: