The title says it all and the details are on their blog, but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make that data searchable". This is in an era when most organisations are doing their utmost to downplay the significance of an event like this too.
This incident comes at a time when I'm writing up a fairly heft blog post on how organisations should communicate in the wake of a data breach. There's a lot of examples in there from previous incidents - mostly around what you shouldn't do - but I don't want to dwell on those here. Instead, I'd like to highlight some of things that really stand out to me in the way Ethereum has communicated this incident:
- They communicated promptly: they learned of the incident on the 16th and had a blog out on the 19th
- They were direct and honest: they disclosed precisely what data attributes had been compromised
- They provided technical detail: there's info on hashing algorithms and a breakdown of what was used where
- They explained how it happened: yes, there's limited info but this is one case where they need to be a bit selective about how much is shared
- They've already reset passwords: this is important in terms of immediately mitigating risk
- They explain what else they're doing to stop it from happening again: they need to rebuild confidence and this is an important part of that
- They're apologetic: the post ends with "We deeply regret that this incident occurred"
That last point is enormously important; we're so used to seeing companies say things along the lines of "sophisticated illegal malicious criminal cyber-actor" or other words that blame the intruder rather than own the problem. Make no mistake - there was illegal activity that went on here that could have serious ramifications if the perpetrator is identified - but rather than trying to shift blame in that direction, Ethereum is owning the problem and acknowledging their own shortcomings. They talk about an "attacker" and "unauthorised access" but spare us the sensationalism we're so often confronted with.
Ethereum is working in an area where trust and transparency is paramount, indeed they're two key value propositions of blockchains. The way they've communicated this incident and their willingness to contribute the data to HIBP should tell you a lot about the ethics of the way they run their organisation.
In order to make the data searchable in HIBP, Ethereum sent over only the email addresses that had been compromised as I don't require any other data. They also provided a schema of the impacted database so I could properly document the data classes that were exposed.
There are now 16,431 email addresses from the Ethereum forum breach searchable in HIBP.