Reply
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

So Upwork, this security breach?

Community Guru
Petra R Member Since: Aug 3, 2011
31 of 59

Emmanuel A wrote:

 

When did this happen ?


under 48 hours ago. Some time during t´Tuesday morning UTC

Ace Contributor
Kevin C. N Member Since: Oct 4, 2016
32 of 59

We need to keep this post alive and in the first page of the community. It's bad enough that so little freelancers are aware of this serious security breach, and it is beyond ridiculous that UpWork hasn't said anything about it yet. 

 

To add to previous comments, here are some notes from the European Commission, maybe UW will listen to them if not their users?

A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, your company/organisation  has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your company/organisation is a data processor it must notify every data breach to the data controller.


If the data breach poses a high risk to those individuals affected then they should all also be informed.

Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obli...

I'd say a security breach that provides random people access to bank account/PayPal information, NDAs, business conversations, addresses and finantial activity surely falls into this last category. But hey, who knows, I'm just a FL, right?

Active Member
Marcus D Member Since: Oct 26, 2017
33 of 59

Still no real response. Shows the complete lack of respect Upwork has for its users.

 

Why do we put up with it?

 

There are far better ways to get clients. I'm out of here, and I suggest you all do the same.

Community Leader
Annette E Member Since: Mar 17, 2018
Community Guru
Petra R Member Since: Aug 3, 2011
35 of 59

Kevin C. N wrote:


I'd say a security breach that provides random people access to bank account/PayPal information, NDAs, business conversations, addresses and finantial activity surely falls into this last category.


In fairness, the settings part (where the bank account/PayPal information, addresses etc live) could not be accessed as they are behind a password. Also, bank account, email etc are not visible in full, only the last digits, even there.)

 

At least when I found myself seemingly in someone else's account, I could see her profile, but not edit it,  messages were not accessible, all reports and contract info was actually my own, and the only thing I possibly could have done was take a skills test.

 

I am not saying the issue wasn't very serious and we don't deserve some immediate reaction beyond acknowledging that we were "startled", but it wasn't as if everyone had access to everything.

 

Interestingly, it seems Elance had a massive breach in 2009 and that didn't come out until a couple of years ago...

 

 

Ace Contributor
Kevin C. N Member Since: Oct 4, 2016
36 of 59


In fairness, the settings part (where the bank account/PayPal information, addresses etc live) could not be accessed as they are behind a password. Also, bank account, email etc are not visible in full, only the last digits, even there.)

I really appreciate the work you do for the community Petra, but this time I'm not entirely sure this is accurate: I just double-checked because I thought some of this information IS available right away and found that if you log-off then log-in and click directly on Settings, my full name, address, and telephone are visible. If I then click on "Get Paid" I can see my full PayPal email, the amount of money I last withdrew, and, sure, just the last few digits of my bank account. This without being prompted to enter my password again.

 

I didn't have access to anyone's account during this issue, and I sure hope nobody had access to mine, but if someone was re-directed to my account and then clicked on settings, I really can't be sure whether or not they would've been prompted to enter my password. Maybe it would be a good idea to update the site so that this ALWAYS happens.

 

It could be that something happened, it could be that people are making stuff up (though I doubt it), but what I know for sure is that UpWork remaining quiet about it gives the impression that something bad DID happen and they're having trouble coming up with what to say.



Community Guru
Petra R Member Since: Aug 3, 2011
37 of 59

Bacause I wanted to document the extent of the problem I did click on Settings.  It said my log in and took me to my own settings (after asking my password)

Again,  not trying to excuse what happened, just saying what I personally saw.

 

 

Community Leader
Ines H Member Since: Feb 15, 2017
38 of 59

I think I'd be more comfortable if the site had actually been hacked and/or our data was exposed due to someone taking advantage of a security flaw. Then when Upwork would say "issue has been resolved", I'd at least know it means the problem was fixed, the hole was closed, and the accounts will never again be compromised through that particular method.

 

But that's not what happened. No one took advantage of anything, no one hacked the site, there was no "security breach" as in someone violating the site's TOS or illegaly attempting to access private data. The site just did it on its own. And for the second time in 4 (?) years.

 

(Isabelle asked if anyone remembers a similar issue - I definitely remember it happening before, around the time when they started moving us from Elance to Upwork. The whole situation was absolutely ridiculous and was one of the reasons why it took me almost 3 years to take a second look at this platform.)

 

I just can't wrap my head around it. How is it even technically possible that logins get mixed up like this? What kind of a mess is this platform built on when something as fundamental as this can be so utterly broken (twice?!) by no external factors? What guarantees do I have that the site won't suddenly show someone else's tax info under my own, or show someone else's messages instead of my own, or show someone else's transaction reports instead of my own?

 

... and if the issue has indeed been resolved, how come we weren't asked to clear our cache and change our browsers? I thought that's like step #1 in resolving Upwork issues.

Community Guru
Pat M Member Since: Jun 18, 2016
39 of 59

TO:                    Upwork

 

FROM:               Freelancers and Clients

 

REGARDING:    Security Breach

 

 

In this case silence is definitely NOT golden. 

 

 

     

Community Guru
Wendy C Member Since: Aug 24, 2015
40 of 59

Adding to Pat's comment ...

 

Silence reeks of guilt and cover-up behavior.

 

I'm sure this is not Upwork's intent - so please update all of us. Post haste.

 

I continue to get the bizarre message "your password is INcorrect" when I try to change my password thanks to this breach of security. 

 

However, I can sign in using the same bloody password so there is obviously still an issue.

 

Again, being told to contact CS is beyond the pale at this point. Which moderator would like to address this?  I'll send screenshots. Please, spare me apologies and pro forma words - just fix it.

TOP KUDOED MEMBERS