Update: Mobile and desktop are fixed, but they require two phases of recaptcha (clicking the images of traffic lights to tell the computer you aren’t a bot). This is really annoying, and we’re working on reducing that to one.
For the past week, someone has been executing a credential stuffing attack against the Workflowy servers. This means that they got a huge list of emails and passwords from somewhere (hacks of other sites), and they’re checking whether those same email/password combos will give them access to any Workflowy accounts.
We’ve been working to address the issue, but yesterday they escalated the attack and we had to turn off login from our mobile and desktop apps in order to prevent people getting spammed further and the attacker having the opportunity to log in.
What we are doing
We are currently implementing the protections needed to re-enable signup/login from our desktop and mobile applications, and stop the login spam.
We will keep you updated. We will post updates here, on twitter, and on our status page.
What you should do
- If you use a password to log into Workflowy, and you use that same password on other sites, you should change it here.
- If the email account you use for Workflowy has a password that you use with other sites, you should change your email password as well.
Thank you for your patience and our apologies for the inconvenience.