On or around April 26th, Isomorphic’s public-facing web servers were compromised by a well-known government-backed APT (Advanced Persistent Threat – basically a hacking group).
If you are short on time, all you need to know is: no confidential information (such as credit cards or billing details) was stolen, but if you use the same login information for other sites, out of an abundance of caution, you should change your password.
For those that are more curious: Isomorphic has two security professionals on our founding team, and in our 20 year history, this is the first time we have had a server compromised. This is because there is no real defense against a government-backed group like this: they can purchase zero-day exploits (hacks that no one has ever seen before) on the dark web (a virtual black market), and if the price of the zero-day exploit is $1M USD, they can pay that.
Even though we follow security best practices – keeping software up to date, using “layered security” approaches so that even if one server is compromised, other servers are safe – a group with enough money can simply purchase a series of never-before-seen exploits that can get through all of those layers.
This is why you see other security-savvy companies getting hacked all the time, and in truth, the ones who do not announce that they have been hacked are often paying ransoms to keep the hack secret!
Because this is a known, government-back group, we have been in close contact with the FBI regarding this hack. We are not sure why we were targeted – possibly because of our many defense contractor customers – but there was no confidential information for the hackers to obtain on the compromised servers.
They did have access to user login information, in encrypted (hashed) form. This means that they don’t know your password, but, they know what your password looks like after going through a one-way (irreversible) cryptographic algorithm (called a “hash”). This means that they can attempt a “dictionary” attack: trying 100s of millions of possible passwords to try to find what password has a matching hash.
If you have a poor quality password, for instance just an English word like “donkey”, then by now, they know it. If you have a 50-character password generated by a password manager, it’s unlikely that they will find your password before the end of the universe, but, out of an abundance of caution, you may want to change it.
It took us a few days to restore services (such as the forums) because we were being extra cautious to make sure that no “backdoors” had been left behind, but services are now back to normal.