Update 2021-05-12: Note, if this is the first you’re hearing about this attack, then you weren’t impacted.
Important: Most people who received an email from us did not have their accounts compromised! We emailed every single user who logged in during the period of the attack and told them as much.
The only way your account was compromised was if your Workflowy password is re-used on other sites. If you use a strong password and don’t re-use it, your account 100% has not been compromised. For people who re-use passwords, we simply do not know exactly which accounts were compromised.
What happened?
As we posted about on our Twitter account, individual Workflowy accounts were recently targeted by an unknown attacker. This malicious activity initially appeared to be the work of a spammer, but upon further investigation we identified that the real target was gaining access to individual accounts. Workflowy’s back-end systems and infrastructure were not compromised in this attack.
While we do not have visibility to the specific tools used by the attacker, evidence from the attack appears consistent with “credential stuffing,” which is the automated use of collected usernames and passwords to gain fraudulent access to user accounts. You can read more about credential stuffing here. We have no way of knowing where the attacker got the credential information used in this attack, but we have identified no evidence that it originated with Workflowy.
We also believe that our actions mitigated and ultimately stopped this attack, as further discussed below. Based on our investigation, the attacker targeted a limited number of Workflowy accounts during the attack, and the vast majority of Workflowy users were not impacted. Additionally, because of the nature of the attack, the only accounts impacted are those that a) use passwords for login, and b) use the same password for Workflowy as for other services.
How did we respond?
On March 12, we received a flurry of user reports of receiving multiple automated e-mail messages from us regarding their accounts. After an initial investigation, we determined that the activity began on March 10 and appeared to be the work of a spammer. We posted to Twitter to alert users about this.
We take our relationship with our users seriously, so we acted promptly based on what was known at the time and communicated what we believed was occurring. We were not initially aware that any user accounts were at risk of compromise.
In the following days, we observed user login activity similar to what triggered the flurry of e-mails reported to us on March 12. Because of that previous activity, we were able to quickly identify and act on this attack. We also determined that the attacker was attempting to compromise user accounts through credential stuffing.
During the attack, we implemented a number of different measures to stop the attacker. We will not publicly detail the steps taken because we do not want future attackers to have that information, but some like our implementation of reCAPTCHA were visible to users. We saw initial successes with these actions, followed by the attacker making changes and resuming the attack. When other measures did not work, we temporarily blocked all users from logging in to completely halt the attack. During our response, we were able to block the attack for most of the time that it lasted. We also posted to Twitter to alert our users and continued to post updates. On March 19, we were able to stop the attack completely.
We are currently continuing to require reCAPTCHA authentication for all logins to prevent this type of attack from happening again. Out of an abundance of caution, we have transitioned all user accounts who logged in during the period of the attack to email based login codes. If you are one such user and prefer a password, you can reset your password here. We apologize for any inconvenience caused by these temporary changes.
Workflowy is otherwise back to full functionality for our users.
We are also in the process of adding additional levels of protection and further hardening our systems. These actions include:
1. Implementing two factor authentication, which confirms user’s identities using their phone numbers. We will encourage all users to enable this functionality when available.
2. Integrating with Castle.io, a well-respected solution for fraud prevention and account security that will help us prevent attacks and alert users of suspicious activity.
3. Hiring a reputable third-party firm to conduct security testing on our systems.
4. We are considering migrating all users to email based logins, with an option to easily convert back to password-based logins if they so choose. Our goal is to create a safer default for non-technical people who do not use password managers, while minimizing disruption for people who do use password managers.
5. Adding additional capabilities and/or processes to our team going forward.
Was my account compromised?
As described above, our investigation indicated that this attack occurred during a specific period of time. We have identified user accounts that were logged into during that timeframe and therefore potentially at risk. We have reached out to those users who may have been impacted.
Please note that some users may have received a flurry of account-related emails during these dates, but that does not necessarily mean their accounts were compromised. Similarly, a reset password does not necessarily indicate that an account was compromised—we reset passwords for all user accounts with any login during the period.
If you did not receive a message from us about this, we have no evidence that your account was at risk.
Do I need to do anything?
Out of an abundance of caution, we suggest that all users who convert back to password-based logins consider changing their passwords and avoid re-using passwords that are used elsewhere. We also encourage users to take advantage of the additional security features that we will be adding to Workflowy.
We know that our users utilize Workflowy for many purposes and projects, but because we cannot see what information is in individual users’ accounts, we cannot advise on what might be in your account.
We are committed to continue working to improve and further secure Workflowy. We do not take for granted that you chose us, and we are excited to find new ways for Workflowy to work for you.
Thank you for using Workflowy. We are proud to be the sidekick you trust for your notes, thoughts, and whatever else you put in Workflowy.