versailles
Member

So Upwork, this security breach?

Hey Upwork, the security breach described in the following thread deserves more than a sorry for the inconvenience. It's not an inconvenience, users have reported that they were able to log into other's accounts and see messages and stuff.

 

At least you are legally required to inform your EU users about any data breach. You can treat others with crickets if you want...

 

https://community.upwork.com/t5/Freelancers/Nightmare-experience-logged-in-as-someone-else/td-p/5628...

-----------
"Where darkness shines like dazzling light"   —William Ashbless
59 REPLIES 59
mtngigi
Member


Rene K wrote:

Hey Upwork, the security breach described in the following thread deserves more than a sorry for the inconvenience. It's not an inconvenience, users have reported that they were able to log in other's accounts and see messages and stuff.

 

At least you are legally required to inform your EU users about any data breach. You can treat others with crickets if you want...

 

https://community.upwork.com/t5/Freelancers/Nightmare-experience-logged-in-as-someone-else/td-p/5628...




Wow .... just now finding out about this. Subscribing to see what Upwork has to say. This is most certainly not the time for crickets, no matter where we're located.

 

ETA: Were people able to get into someone else's banking information? How far into those profiles could you get when this was going on?

NDA agreements freelancers may have signed are now worthless. Who is responsible? More importantly, who is liable?

Why did it take so long before the site was taken down despite knowing that hundreds of thousands of people were traipsing around other people's accounts?

 

from what I've read - some users were able to see everything,  so   I'm assuming  banking, NDA, paypal  info  could  also be available...

lenaellis
Staff
Staff

Rene and others, 

 

We understand that this is more than an inconvenience and was startling to many of you. The issue has been resolved and I will be updating the Community with more information about this site incident and the impact as soon as I have all the details.  I do understand your urgency, and appreciate your patience in the interim.

 

-Lena 

Untitled


Lena E wrote:

Rene and others, 

 

We understand that this is more than an inconvenience and was startling to many of you. The issue has been resolved and I will be updating the Community with more information about this site incident and the impact as soon as I have all the details.  I do understand your urgency, and appreciate your patience in the interim.

 

-Lena 


 

"There are certain incidents that organisations need to tell us about. Use this page if you are an organisation that has experienced one of the following types of incident and need to report it to the ICO:

 

  • a personal data breach under the GDPR or the Data Protection Act 2018;
  • a Privacy and Electronic Communications Regulations (PECR) security breach by a telecoms or internet service provider;
  • a potential breach of the NIS Directive; or
  • a potential breach of the eIDAS Regulation

 

GDPR or DPA 2018 personal data breach

 

From 25 May 2018, if you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. You do not need to report every breach to the ICO.

 

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

 

For more information about what a personal data breach is and when you need to report it to us, please see the personal data breach pages of our Guide to the GDPR or if you are processing personal data for law enforcement purposes please see our Guide to Law Enforcement Processing.

You can also voluntarily report data security breaches that occurred before 25 May 2018, following the same process for reporting breaches of the DPA 2018."

 

Source: https://ico.org.uk/for-organisations/report-a-breach/

 

 

People, change your password, check that your e-mail and bank details were not messed up with, read your profile to see if then person who Upwork invited into your account did not feel like being creative with your overview and check your messages to see if nobody has been messaging your contacts.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

Hi Lena,

 

When are you going to give information about what happened "exactly"?
And also to know to what extent the information of the profiles has been exposed.
I think it is a subject serious enough not to have us waiting like other times.
I changed my passwords yesterday and it seems that everything is in order but, how do I know if someone connected to Upwork and my profile appeared with all my data ?
Very worrying.


Lena E wrote:

I will be updating the Community with more information about this site incident and the impact as soon as I have all the details.  I do understand your urgency, and appreciate your patience in the interim.


Well?

Or shall we continue to be "startled?" (which is one level below "confused" in the "offensive ways to describe your users' reactions to major Upwork fails" hall of fame)


Lena E wrote:

Rene and others, 

 

We understand that this is more than an inconvenience and was startling to many of you. The issue has been resolved and I will be updating the Community with more information about this site incident and the impact as soon as I have all the details.  I do understand your urgency, and appreciate your patience in the interim.

 

-Lena 


I'm sure I speak for the Community in saying we'll appreciate an update here. But a mishap of this scale and gravity merits official announcements teased with banner messages on every login page. Relatively few UW members haunt the Community Forum on a regular basis and those who don't, are in the dark about this. I happened to communicate with a FL I'm working with right now and alerted her. She had seen the outage yesterday but assumed it was just another routine outage and thought no more about it. We're so well conditioned to roll our eyes and work around it.

 

In any case, UW needs to stop creating the vivid impression that the leadership team is camped out in a locked conference room with the lights out, waiting for the attention to dissipate, and get some information out here in the open where it will do the most good.

We look forward to seeing more information on this and what is being done to prevent it from happening again.

astepanov83
Member

Upwork CTO must definitely resign. It's 100% his fault: he failed to build the development process properly and that lead to this breach. I can't remember any similar disaster in any other company, except being hacked.


Aleksandr S. wrote:

Upwork CTO must definitely resign. It's 100% his fault: he failed to build the development process properly and that lead to this breach. I can't remember any similar disaster in any other company, except being hacked.


Considering how wobbly their IT infrastructure is since the beginning, I'm worried by the fact that they haven't already fired him many times.

-----------
"Where darkness shines like dazzling light"   —William Ashbless
vsalinitro
Member

Wouldn't be amazing if Upwork would send an email when things like this happen?

it's the second time in two weeks (see the Budget vs Proposal topic) that a massive bug comes up and the only way to know about that is through some random topics on this forum...

I assume that it was the same for client accounts, but did anyone here with a client account experience the same? And if so, have they received any (official) notification from Upwork?

So, it's crickets it seems. That shows your respect for your customers.

 

 

-----------
"Where darkness shines like dazzling light"   —William Ashbless


Rene K wrote:

So, it's crickets it seems. That shows your respect for your customers.

 


I can't imagine they can ignore addressing this serious breach. There is probably some serious scrambling going on. We'd all like to know if any of our personal information was compromised.


Virginia F wrote:

Rene K wrote:

So, it's crickets it seems. That shows your respect for your customers.

 


I can't imagine they can ignore addressing this serious breach. There is probably some serious scrambling going on. We'd all like to know if any of our personal information was compromised.


I think that this is pretty darned serious. Every US state, every country where Upwork operates (most likely) has legislation in place about data leaks; legislation that must be adhered to, including communicating (directly) to every individual customer who has been affected. I think that some states in the US (and most likely also elsewhere) have legislation that stipulate that customers must be informed immediately.

 

I imagine it's a busy day/evening at Upwork with legal consultation, PR strategy etc. 

 

NDA's have potentially been compromised whereever work product is available through Upwork's chat. Work product without NDAs has potentially been accessed, full names of freelancers disclosed, etc. etc. Whether it was possible to also access bank/payment information etc., I don't know, but I can't even imagine the scope of this as it is/may be so massive.

 

 


Annette E wrote:

I think that this is pretty darned serious. Every US state, every country where Upwork operates (most likely) has legislation in place about data leaks; legislation that must be adhered to, including communicating (directly) to every individual customer who has been affected. I think that some states in the US (and most likely also elsewhere) have legislation that stipulate that customers must be informed immediately.

 

It's not just affected users, either. For instance, in New York an outside company is required not only to provide a very specific notice to affected users in the state, but also to provide notice to the state Attorney General's office, the New York State Police,and the State Department.

 

The statute provides both for actual damages and for civil penalties in the hundreds of thousands of dollars.

 

And that's just one jurisdiction. 

iaabraham
Member

@Lena, where exactly will you post the official response to this issue? In the Announcement section or in these threads? It should also be posted on the site and social media pages.

 

I recall a similar security issue happening a while ago (people being logged in as someone else). Does anyone else remember that?

Two people in the last 24 hours have reported on this message board that their accounts were “hacked.” Does this have anything to do with the security breach? Two isn’t many considering how widespread the problem seems, but also, after searching, hacked account reports aren’t very common on this board.

Trying to reset passwords > it seems that Upwork is having 'issues' confirming our passwords ... which makes it impossible to change passwords.

 

What the he// else can go wrong????

I changed my password yesterday morning, and couldn't find anything amiss in my settings. But this whole thing remains deeply troubling, esp since UW's response (as usual) is evidently to hide while hoping it blows over.

Mods,

 

It is past a reasonable time for us to get a clear answer on this issue of a security breach.  Just changed my password.

 

Joe

 

 

Joseph M. C. ,P.C., CPA/ABV


Joseph C wrote:

Mods,

 

It is past a reasonable time for us to get a clear answer on this issue of a security breach.  Just changed my password.

 

Joe

 

 


Upwork first showed it's lack of respect in the way we were ignored when the whole "talent specialists hiding our bids" fiasco was revealed. I guess we shouldn't be too surprised at the same lack of respect we're experiencing here with this much more serious issue.

Questions: Did this only involve freelancers or were clients affected too? Was there an interchange of data at some point? In particular, were freelancers who are also clients compromised? 

 

 

I also changed my password yesterday and didn’t have issues. Nor did I see anything wrong with my account. However, I haven’t tried logging in today.

And the system is still telling me my current password is incorrect ONLY when I try to change it.  I can log in without a hitch.  

 

Being told to contact CS is beyond laughable ....

 

Repeating - what the he// is going on and why have there been no updates on the security breach?

arriemmanuel
Member

Just discovered this issue, thanks to this thread.

 

So now I have a few questions:

As a publicly listed company, what is the requirement for Upwork to notify not only the affected users but also their investors and the markets ?

 

When did this happen ? Because under GDPR, when a data breach occurs, the local data protection authority and all affected data subjects must be notified within 72 hours.

Fines, at least the most expensive, being up to the greater of 20mln Euros or 4% of total revenue.

 


Emmanuel A wrote:

 

When did this happen ?


under 48 hours ago. Some time during t´Tuesday morning UTC

We need to keep this post alive and in the first page of the community. It's bad enough that so little freelancers are aware of this serious security breach, and it is beyond ridiculous that UpWork hasn't said anything about it yet. 

 

To add to previous comments, here are some notes from the European Commission, maybe UW will listen to them if not their users?

A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, your company/organisation  has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your company/organisation is a data processor it must notify every data breach to the data controller.


If the data breach poses a high risk to those individuals affected then they should all also be informed.

Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obli...

I'd say a security breach that provides random people access to bank account/PayPal information, NDAs, business conversations, addresses and finantial activity surely falls into this last category. But hey, who knows, I'm just a FL, right?

Still no real response. Shows the complete lack of respect Upwork has for its users.

 

Why do we put up with it?

 

There are far better ways to get clients. I'm out of here, and I suggest you all do the same.


Kevin C. N wrote:


I'd say a security breach that provides random people access to bank account/PayPal information, NDAs, business conversations, addresses and finantial activity surely falls into this last category.


In fairness, the settings part (where the bank account/PayPal information, addresses etc live) could not be accessed as they are behind a password. Also, bank account, email etc are not visible in full, only the last digits, even there.)

 

At least when I found myself seemingly in someone else's account, I could see her profile, but not edit it,  messages were not accessible, all reports and contract info was actually my own, and the only thing I possibly could have done was take a skills test.

 

I am not saying the issue wasn't very serious and we don't deserve some immediate reaction beyond acknowledging that we were "startled", but it wasn't as if everyone had access to everything.

 

Interestingly, it seems Elance had a massive breach in 2009 and that didn't come out until a couple of years ago...

 

 



In fairness, the settings part (where the bank account/PayPal information, addresses etc live) could not be accessed as they are behind a password. Also, bank account, email etc are not visible in full, only the last digits, even there.)

I really appreciate the work you do for the community Petra, but this time I'm not entirely sure this is accurate: I just double-checked because I thought some of this information IS available right away and found that if you log-off then log-in and click directly on Settings, my full name, address, and telephone are visible. If I then click on "Get Paid" I can see my full PayPal email, the amount of money I last withdrew, and, sure, just the last few digits of my bank account. This without being prompted to enter my password again.

 

I didn't have access to anyone's account during this issue, and I sure hope nobody had access to mine, but if someone was re-directed to my account and then clicked on settings, I really can't be sure whether or not they would've been prompted to enter my password. Maybe it would be a good idea to update the site so that this ALWAYS happens.

 

It could be that something happened, it could be that people are making stuff up (though I doubt it), but what I know for sure is that UpWork remaining quiet about it gives the impression that something bad DID happen and they're having trouble coming up with what to say.



Bacause I wanted to document the extent of the problem I did click on Settings.  It said my log in and took me to my own settings (after asking my password)

Again,  not trying to excuse what happened, just saying what I personally saw.

 

 

I think I'd be more comfortable if the site had actually been hacked and/or our data was exposed due to someone taking advantage of a security flaw. Then when Upwork would say "issue has been resolved", I'd at least know it means the problem was fixed, the hole was closed, and the accounts will never again be compromised through that particular method.

 

But that's not what happened. No one took advantage of anything, no one hacked the site, there was no "security breach" as in someone violating the site's TOS or illegaly attempting to access private data. The site just did it on its own. And for the second time in 4 (?) years.

 

(Isabelle asked if anyone remembers a similar issue - I definitely remember it happening before, around the time when they started moving us from Elance to Upwork. The whole situation was absolutely ridiculous and was one of the reasons why it took me almost 3 years to take a second look at this platform.)

 

I just can't wrap my head around it. How is it even technically possible that logins get mixed up like this? What kind of a mess is this platform built on when something as fundamental as this can be so utterly broken (twice?!) by no external factors? What guarantees do I have that the site won't suddenly show someone else's tax info under my own, or show someone else's messages instead of my own, or show someone else's transaction reports instead of my own?

 

... and if the issue has indeed been resolved, how come we weren't asked to clear our cache and change our browsers? I thought that's like step #1 in resolving Upwork issues.

TO:                    Upwork

 

FROM:               Freelancers and Clients

 

REGARDING:    Security Breach

 

 

In this case silence is definitely NOT golden. 

 

 

     

Adding to Pat's comment ...

 

Silence reeks of guilt and cover-up behavior.

 

I'm sure this is not Upwork's intent - so please update all of us. Post haste.

 

I continue to get the bizarre message "your password is INcorrect" when I try to change my password thanks to this breach of security. 

 

However, I can sign in using the same bloody password so there is obviously still an issue.

 

Again, being told to contact CS is beyond the pale at this point. Which moderator would like to address this?  I'll send screenshots. Please, spare me apologies and pro forma words - just fix it.