An update on the recent credential stuffing attack against Workflowy user accounts

By

Update 2021-05-12: Note, if this is the first you’re hearing about this attack, then you weren’t impacted.

Important: Most people who received an email from us did not have their accounts compromised! We emailed every single user who logged in during the period of the attack and told them as much.

The only way your account was compromised was if your Workflowy password is re-used on other sites. If you use a strong password and don’t re-use it, your account 100% has not been compromised. For people who re-use passwords, we simply do not know exactly which accounts were compromised.

What happened?

As we posted about on our Twitter account, individual Workflowy accounts were recently targeted by an unknown attacker.  This malicious activity initially appeared to be the work of a spammer, but upon further investigation we identified that the real target was gaining access to individual accounts.  Workflowy’s back-end systems and infrastructure were not compromised in this attack.

While we do not have visibility to the specific tools used by the attacker, evidence from the attack appears consistent with “credential stuffing,” which is the automated use of collected usernames and passwords to gain fraudulent access to user accounts.  You can read more about credential stuffing here.  We have no way of knowing where the attacker got the credential information used in this attack, but we have identified no evidence that it originated with Workflowy.

We also believe that our actions mitigated and ultimately stopped this attack, as further discussed below.  Based on our investigation, the attacker targeted a limited number of Workflowy accounts during the attack, and the vast majority of Workflowy users were not impacted.  Additionally, because of the nature of the attack, the only accounts impacted are those that a) use passwords for login, and b) use the same password for Workflowy as for other services.

How did we respond?

On March 12, we received a flurry of user reports of receiving multiple automated e-mail messages from us regarding their accounts.  After an initial investigation, we determined that the activity began on March 10 and appeared to be the work of a spammer.  We posted to Twitter to alert users about this.

We take our relationship with our users seriously, so we acted promptly based on what was known at the time and communicated what we believed was occurring.  We were not initially aware that any user accounts were at risk of compromise.

In the following days, we observed user login activity similar to what triggered the flurry of e-mails reported to us on March 12.  Because of that previous activity, we were able to quickly identify and act on this attack.  We also determined that the attacker was attempting to compromise user accounts through credential stuffing.

During the attack, we implemented a number of different measures to stop the attacker.  We will not publicly detail the steps taken because we do not want future attackers to have that information, but some like our implementation of reCAPTCHA were visible to users.  We saw initial successes with these actions, followed by the attacker making changes and resuming the attack.  When other measures did not work, we temporarily blocked all users from logging in to completely halt the attack.  During our response, we were able to block the attack for most of the time that it lasted.  We also posted to Twitter to alert our users and continued to post updates.  On March 19, we were able to stop the attack completely. 

We are currently continuing to require reCAPTCHA authentication for all logins to prevent this type of attack from happening again.  Out of an abundance of caution, we have transitioned all user accounts who logged in during the period of the attack to email based login codes. If you are one such user and prefer a password, you can reset your password here. We apologize for any inconvenience caused by these temporary changes.

Workflowy is otherwise back to full functionality for our users.

We are also in the process of adding additional levels of protection and further hardening our systems.  These actions include:

1. Implementing two factor authentication, which confirms user’s identities using their phone numbers.  We will encourage all users to enable this functionality when available.

2. Integrating with Castle.io, a well-respected solution for fraud prevention and account security that will help us prevent attacks and alert users of suspicious activity.

3. Hiring a reputable third-party firm to conduct security testing on our systems. 

4. We are considering migrating all users to email based logins, with an option to easily convert back to password-based logins if they so choose. Our goal is to create a safer default for non-technical people who do not use password managers, while minimizing disruption for people who  do use password managers.

5. Adding additional capabilities and/or processes to our team going forward.

Was my account compromised?

As described above, our investigation indicated that this attack occurred during a specific period of time.  We have identified user accounts that were logged into during that timeframe and therefore potentially at risk.  We have reached out to those users who may have been impacted.  

Please note that some users may have received a flurry of account-related emails during these dates, but that does not necessarily mean their accounts were compromised.  Similarly, a reset password does not necessarily indicate that an account was compromised—we reset passwords for all user accounts with any login during the period.  

If you did not receive a message from us about this, we have no evidence that your account was at risk.

Do I need to do anything?

Out of an abundance of caution, we suggest that all users who convert back to password-based logins consider changing their passwords and avoid re-using passwords that are used elsewhere.  We also encourage users to take advantage of the additional security features that we will be adding to Workflowy.

We know that our users utilize Workflowy for many purposes and projects, but because we cannot see what information is in individual users’ accounts, we cannot advise on what might be in your account.

We are committed to continue working to improve and further secure Workflowy.  We do not take for granted that you chose us, and we are excited to find new ways for Workflowy to work for you. 

Thank you for using Workflowy.  We are proud to be the sidekick you trust for your notes, thoughts, and whatever else you put in Workflowy.

Overwhelmed?

Workflowy replaces your notebooks, stickies and bloated apps with a simple, smooth digital notebook that makes it easy to get organized and be productive.

Share on twitter
Share on facebook
Share on linkedin
Share on email

49 Responses

  1. Hi Jessie, great write up. Already taking advantage of the attack to modify my behavior. Keep up the good work and implement two factor authentication. Thank you. Jim

  2. I tried to log in to my account by providing my email. I got the automated message that a code is being sent. Ten minutes later, I am still waiting for my code. I hope you can get this straight. Thank you.

  3. I no longer use the email address associated with my Workflowy account, and therefore I can’t get into that email to get the access code I need to login to my account. Is there anything you can do to help? Please say yes!

    1. Do you still have access to your data from a browser/app or are totally locked out ?
      Did you try to contact support ?

    2. Hi Megan, sorry, we’re working through a backlog of tickets and I will definitely get to yours. We’re actually working on a solution right now for users who don’t have access to their email accounts to get back in… and we will be in touch with you via the help desk 🙂

      1. Is there any update on how the help desk is going through support tickets? I’d at least appreciate knowing when someone might get to me. I’ve tried over several days to reset my password via the link, but no email ever arrives (and I am using my workflowy account email). So far no response to my support ticket….I’ve scrambled to be able to work without my data for the moment…but am not sure whether to plan for several more days (or longer) of blocked access to my account. Would really appreciate having some sort of idea for what to expect. Thank you.

    1. This is an old note I have :
      Edited in the last x time unit (h = hours, d = days, m or (none) = minutes)

      changed:30d OLD ALIAS WORKS THE SAME: last-changed:30d

  4. Please do not add SMS-based 2-Factor Authentication. It is not sufficiently secure. Add OTP-based authentication instead.

    1. +1, anything else other than SMS would be better, even confirmation over email as 2nd factor,

    2. SMS-based 2FA is still more secure than no 2FA, and a lot more user friendly to non-technical people. App-based, token-based, U2F, and WebAuthN are incrementally more secure, but also raise complexity (with the exception of WebAuthN which can be very user friendly).

      You need to add the options that make the most sense for your users to keep them secure. Adding a highly technical solution is great, for those who know how to use it, but not if it comes at the expense of adding simpler 2FA that more users can use.

      There is a difference between SMS 2FA and Account Recovery over SMS, the latter being the real “not sufficently secure” option.

      1. @Cleroth, it’s not a false sense of security though. SMS 2FA is more secure than having no 2FA at all. It may not protect you against targetted attacks, but neither will App-based or even some token based 2FA.
        Yes exploiting SMS 2FA is easier than App-based or token based, but it still needs to be a targetted attack.

        Non-technical users who chose terrible passwords can understand and use SMS 2FA – which will protect their accounts. Those same users won’t understand app-based 2FA and stick with their terrible passwords, with no protection.

        Don’t get me wrong, I’m not saying SMS based 2FA is the only method that shoud be used. I’d love to use WebAuthN on everything, but I’ll settle for U2F or app-based, but SMS 2FA is better than nothing.

        The real problem with SMS is account recovery with SMS as single factor. That’s the security risk we should be talking about – to developers, not users.

    1. I’d recommend opening a case on the support page. This way you’ll get a ticket opened and tracked directly with the support team.

  5. Thanks for the quick and appropriate reaction, however, I’m currently stuck out of my account. The system used to send the one-time verification code to email wasn’t delivering for some reason so after two attempts and 10-15 minutes of waiting, I went ahead and tried to reset my password. Didn’t work either. The email at least arrives, but the link I click in it leads me to page where I should choose my new password. Entering anything there says “wrong password”.

    1. OK, turns out, as I was firstly opening the reset link on my phone, it automatically opened the app and what I was seeing wasn’t actually the reset page. After trying again, this time opening the link in the browser on my laptop, it allowed me to reset it (and was actually a totally different screen).

      Good, I’m in. :sigh-of-relief: 😉

  6. Stupid to just be tweeting about this. So its 3/26 and its the first I’ve heard about any of this because I don’t use crap social media?

    1. First email I got about this was 3/20. Yay Jesse and Co. Spam filter? Agreed, no Twitter for me either.

  7. My status is I can’t login and my reset my password emails are not received (and yes I check junk). I’m guessing the hacker logged into my account and changed the password and email. Which is extra weird as my username is my email.

    Workflowy has not responded to multiple inquiries to help@workflowy.com.

    I will never understand how the leadership thought tweeting about the problem was the same as actual notifications.

    1. Exact the same thing is for me! Cannot log in, password reset does not work because I see no emails received. And initially I was automatically logged out from my Workflowy tab in my browser, and it asked to enter some code, but I haven’t received emails with codes as well.

      1. That reset link does not work. It’s the same page I have been using. I get nothing back (and yes, I check junk).

      2. Frank, I double checked it using this link, and I still have no password reset emails from Workflowy. I also checked my spam folder, so it looks like Workflowy emails either not sent at all, or they sent somewhere else.

        Is it possible somehow that such emails can be sent to an email address different than the address used during registration on Workflowy?

      3. Vlad, I’m in the same situation as yourself. Can’t login and reset emails aren’t working.

      4. Many thanks to Frank.
        I have sent an email with a description of my issue to help@workflowy.com, and Frank responded quite fast, but it was almost weekend (I have active subscription). After trying some recommendations from Frank we found the reason of my issue and with help of Frank I was able to recover access to my Workflowy account, and all my lists are fine!

        Mat, not sure if you have exact the same issue, but you need to check if you are using the same email as you used during registration your Workflowy account when trying to reset password with the link provided by Frank. In my case, as I’m using Keepass for storing passwords, I always copied my email address from Keepass and pasted it into password reset form. But it appeared that my email address I initially entered into my Keepass was incorrect, it had some differences from my real email. So I have detected this only after trying to enter my email address manually on another computer. And this incorrect email address had no existing mailbox, so all emails from Workflowy was not delivered.

    2. Also, you can’t change a password in workflowy without an email, so your account won’t have been taken over.

      1. Thank you. That is good to know. I’m guessing someone got in, did something, and now I’m locked out. But that doesn’t explain why the reset password is not working.

      2. Can you address the “password reset” link not working, and the receiving no emails issue?! Because I too have been locked out of my account, and have been unable to WORK on any project within workflowy, with no response from support. I’m seriously rethinking why I put so much into my account when my access has been frozen for days and no reasonable way to re-access it.

  8. Since yesterday I am not able to log in to workflowy. It sends me a code and I immediately enter it, but the login page says that it’s already expired.

    1. Hi David, if you are still having the issue, we’ve addressed one issue that was leading people to have this experience, so it may now be resolved. If you haven’t yet changed to a password, you could try again and see if it worked

  9. Thank you for your transparency and prompt reaction. The silver lining for users is that 2FA is now a priority 😉

    Growing pains. Nice work guys!

  10. Thanks for your quick response to the security threat. I rely on Workflowy to a large degree for my work and knowing you implemented a better login system because of a breach is reassuring.

  11. Still can’t get it. Password reset still doesn’t work (and yes I check junk). Emailed their help multiple times, still no response from anyone. What is going on?

    1. Just to add my name to the list. I haven’t been able to access anything since Friday 26th, and have received no response from Password Reset or from the Help Desk for five days. I don’t use Twitter, and until I discovered this page I was wondering Workflowy had disappeared altogether, taking years of my life with it.

      I wonder how many other people out there are having the same problem? What about a generic letter to everyone who has written to the help desk, just to reassure them you are still there, and some timeline for things to be fixed?

      I’ll report back here in a couple of days if I still haven’t heard.

    2. Hi Mat, please check my answer several posts above, maybe it will be useful for you. With help of Frank I was able to recovered access to my account.

      1. Thanks Vlad. I figured it out. The root of my problem is I had blocked all email from workflowy at some point for some stupid reason.. Not junked, just blocked. Meaning no resets or responses to my emails to their help were coming through.

  12. > Implementing two factor authentication, which confirms user’s identities using their phone numbers.
    Please don’t go the phone number route!! People need to get used to using an authenticator app. Phones aren’t that reliable when traveling, numbers change as people get simcards for travel etc.

Leave a Comment

Subscribe to the newsletter

We'll send you a weekly roundup of the latest posts

%d bloggers like this: