Update: Mobile and desktop are fixed, but they require two phases of recaptcha (clicking the images of traffic lights to tell the computer you aren’t a bot). This is really annoying, and we’re working on reducing that to one.
For the past week, someone has been executing a credential stuffing attack against the Workflowy servers. This means that they got a huge list of emails and passwords from somewhere (hacks of other sites), and they’re checking whether those same email/password combos will give them access to any Workflowy accounts.
We’ve been working to address the issue, but yesterday they escalated the attack and we had to turn off login from our mobile and desktop apps in order to prevent people getting spammed further and the attacker having the opportunity to log in.
What we are doing
We are currently implementing the protections needed to re-enable signup/login from our desktop and mobile applications, and stop the login spam.
We will keep you updated. We will post updates here, on twitter, and on our status page.
What you should do
- If you use a password to log into Workflowy, and you use that same password on other sites, you should change it here.
- If the email account you use for Workflowy has a password that you use with other sites, you should change your email password as well.
Thank you for your patience and our apologies for the inconvenience.
[…] Security Notice: If you can’t log into Workflowy right now … […]
I’ve been a user of WorkFlowy for over a decade and I’ve always been happy with the product itself. That said, two-factor authentication would mitigate these kinds of attacks and it’s pretty silly to not support it in 2021. It’s been on your radar for a while now:
“Although not guaranteed… we may certainly look into this in the new year… once we’ve got some major features released that we’re currently working on!”
Maybe it’s time to prioritize security as a major feature?
Courage! I can’t imagine how hard your task is at this point.
Thank you for the heads up, Jesse.