Security Notice: If you can’t log into Workflowy right now, or you are getting lots of login emails, this is why …

Update: Mobile and desktop are fixed, but they require two phases of recaptcha (clicking the images of traffic lights to tell the computer you aren’t a bot). This is really annoying, and we’re working on reducing that to one.

The situation

For the past week, someone has been executing a credential stuffing attack against the Workflowy servers. This means that they got a huge list of emails and passwords from somewhere (hacks of other sites), and they’re checking whether those same email/password combos will give them access to any Workflowy accounts.

We’ve been working to address the issue, but yesterday they escalated the attack and we had to turn off login from our mobile and desktop apps in order to prevent people getting spammed further and the attacker having the opportunity to log in.

What we are doing

We are currently implementing the protections needed to re-enable signup/login from our desktop and mobile applications, and stop the login spam.

We will keep you updated. We will post updates here, on twitter, and on our status page.

What you should do

  1. If you use a password to log into Workflowy, and you use that same password on other sites, you should change it here.
  2. If the email account you use for Workflowy has a password that you use with other sites, you should change your email password as well.

Thank you for your patience and our apologies for the inconvenience.

3 thoughts on “Security Notice: If you can’t log into Workflowy right now, or you are getting lots of login emails, this is why …

  1. Courage! I can’t imagine how hard your task is at this point.

  2. I’ve been a user of WorkFlowy for over a decade and I’ve always been happy with the product itself. That said, two-factor authentication would mitigate these kinds of attacks and it’s pretty silly to not support it in 2021. It’s been on your radar for a while now:

    https://workflowy.zendesk.com/hc/en-us/community/posts/360039767392-Two-factor-authentication

    “Although not guaranteed… we may certainly look into this in the new year… once we’ve got some major features released that we’re currently working on!”

    Maybe it’s time to prioritize security as a major feature?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s