On April 2, 2021, the Organization discovered a technical vulnerability involving user accounts that had been subject to an ?account takeover? (ATO). The Organization reported that the vulnerability did not cause the ATOs; however, it permitted a malicious actor engaged in an ATO to remain logged in to user accounts after the Organization had taken steps to terminate access and force a password reset. The Organization reported it previously informed its users that their accounts had been accessed and took a series of measures to remove the malicious access to user accounts. However, the issue in the Organization?s systems was likely introduced on July 17, 2018 in a software upgrade, so the malicious actor may have continued to have access to user accounts and the information in them. On April 3, 2021, the Organization implemented additional measures to remove the malicious actor?s access to user accounts, and restored the accounts. In the course of an ATO, a malicious actor would have had access to all information that is typically visible to the account user. In some cases, the malicious actor may have made changes to the payment information in user accounts. The Organization managed to successfully terminate all known ATO account sessions believed to have been affected by the vulnerability.
P2021-ND-250
File Type:
pdf
File Size:
662 KB
Categories:
2021