Unfuddle: Notice of Data Breach

May 2, 2017 David Croswell

What Happened

We’ve identified and addressed security incidents which occurred on or about March 27 and April 13, where an unauthorized third party was able to initiate access to Unfuddle’s servers and its server information, potentially affecting Unfuddle products such as Unfuddle STACK, Unfuddle TEN or AgilePad projects (collectively, “Unfuddle”). We wanted to inform you about everything we know, as soon as we assessed the incident. We believe that this incident was not widespread, and that the vast majority of Unfuddle accounts were not affected. We have also found no other evidence of other Unfuddle systems or products being affected by this incident.

What Information Was Involved

Upon further analysis of the incident, some evidence showed signs of compromise to Unfuddle products. This means any sensitive data used during business, such as account details and source code data could have been affected or compromised by this incident. Personal customer information, financial and credit card data were not identified as being affected by this incident; unless, customers separately stored key personal or financial information on their accounts, which Unfuddle would not be aware of.

What We Are Doing

In addition to internal monitoring, we have engaged our security team to assess the incident, build and improve Unfuddle’s current processes, architecture, and controls. The following is being conducted in response and resolution to the incident:

  • We have completely replaced and updated all Unfuddle credentials related to Unfuddle infrastructure.
  • We have audited and strengthened access controls to keep potential unauthorized users off the system.
  • We have replaced Unfuddle’s SSL certificates to ensure communications continue to be encrypted and maintain the integrity of SSL.
  • We have enhanced monitoring and alerting to identify unauthorized access to our systems and machines.
  • We are designing and implementing a new network model with enhanced security zones and network segmentation.
  • We are improving our host-based Intrusion Detection System (IDS) software on all systems.

What You Can Do

  • As a precaution, Unfuddle STACK users should login to the platform and change their passwords immediately. You will be prompted to do so automatically the next time you log in. This step is not necessary for Unfuddle TEN or AgilePad customers.
  • Never store or share personal data on your Unfuddle accounts.
  • Make sure you are not storing third party credentials in your source code or attachments. While we generally believe customer repository data to be untouched, customers should change any credentials they may have stored in those repositories.
  • Any sensitive data or credentials stored in tickets or attachments should be changed.

Other Important Information

This is an ongoing investigation and Unfuddle will actively be working with law enforcement authorities on the investigation of this matter. Unfuddle’s Security Team will be increasing security monitoring, alerting, audit trails, and incident responses. We are also actively monitoring customer accounts to ensure that no further information was affected. We have already isolated the affected systems and confirmed that any further unauthorized access is not possible. To reiterate, we have found no evidence of other Unfuddle systems or products being affected beyond those mentioned in this notice.

For More Information

For more information, please go to https://unfuddle.com/blog/2017/05/important-notice/, contact us at support@unfuddle.com, or call us at +1-877-863-8335.