Update: A very similar thing happened on November 8, 2019. Please refer to the blog post below for the details.
This morning, we found something odd on our dashboards. Web Logins increased from an average of 300 to 4000+ since October 17th.
After a little bit of digging in our logs, we found out that some accounts were being logged in from over ~6500 different IPs. Based on data from haveibeenpwned.com, the accounts attacked were from past leaks from other sites.
XSplit.com rate limits based on IPs, but the attacker circumvented it by using a big list of IPs. To counter that, we quickly implemented a rate limit based on User IDs and tries. It worked well enough: the attacker stopped trying out compromised accounts, but we knew that they could come back anytime with a better script. In order to reduce the possibility of this happening ever again, we:
- Figured out exactly which accounts logged-in erratically from the non-usual IPs
- Invalidated the passwords on those accounts
- Pushed a new security feature that causes multiple attempts on login to lock the account for a while, regardless of IPs used
- Pushed a new security feature that checks for compromised password on haveibeenpwned.com. We will no longer accept compromised passwords on XSplit.com
- Sent an email to all compromised accounts pointing to this blog post for explanation
In the near future, we will implement these extra security features:
- When logging in using a password that has been compromised in the past, a notice will pop out, urging you to change your password. (again, using the API from haveibeenpwned.com)
- Optional two factor authentication for apps and web login
Even though the accounts breached wasn’t from XSplit, we felt like we could do more to secure the users, regardless of their breach origin.
Stay vigilant and do not reuse passwords!