Sunday, 16 September 2012, 6pm GMT, 10am Pacific
Last night, we discovered there was an attempt to steal passwords and phone numbers from some of Avego’s RTR (real-time ridesharing) accounts.
We can confirm that an unauthorized user gained access to user e-mail addresses and encrypted passwords for corresponding accounts due to an exploit in a technology component used on one of our servers.
No customer financial data was stolen or affected by this attack.
We immediately launched an investigation. Our investigation, at this time, indicates that no user data has been compromised in any of Avego’s Vanpooling or Bus operations systems.
These are are the steps we are pursuing at the present time:
1. We have put the Avego Real-time Ridesharing service on hold for today (Sunday) while we assess and correct the situation with the server affected and make patches to related servers.
2. As a precautionary measure, we have put other Avego servers which do not appear to be affected by the attack into maintenance mode, while we put in new measures to safeguard against similar attacks. We will update you on their status within the next 24 hours.
3. While the passwords in our Real-time Ridesharing database were encrypted, a determined attacker could decrypt these passwords. Thus, we have reset all passwords for the affected server. It will not be possible for the hacker to access or change your data on Avego.
4. If you are an RTR user on an affected server, you will be receiving an e-mail asking you to reset your password once normal operations resume.
If you have been using your Avego RTR password on other sites with the same e-mail address that you’ve used with Avego (the address at which you’ve received this e-mail), we recommend that you change those passwords on those other sites (e.g. Gmail, LinkedIn).
We will continue to work on a comprehensive security review (which was underway even before the attack) in order to ensure that similar attacks cannot happen in the future.
We will continue to investigate the situation and to inform you of any further developments. If you have any questions on this attack, you can direct them to Eoin Verling from Avego’s Network Operations department, Eoin.Verling@avego.com.
We sincerely apologize for the inconvenience this has caused our users. We take the security of our users very seriously.
Sean O’Sullivan, Managing Director