Datadog, a software-as-a service-based provider of IT infrastructure monitoring and analytics services, has forced a password reset on all of its user and admin accounts following a breach last Friday.
“We have detected unauthorized activity associated with a handful of production infrastructure servers, including a database that stores user credentials,” company CSO Andrew Becherer said in an advisory. “A user also has reported unsuccessful attempts to use AWS credentials shared with Datadog. To err on the side of caution, we are recommending revocation of all credentials shared with Datadog.”
Becherer said all passwords are encrypted with the bcrypt crypto hash function, and with a “unique salt,” he added. Salting is the introduction of a random data string during hashing, and is designed to make brute-force attacks much more difficult.
The company earlier this year announced a $94.5 million venture funding round. Its agents collect application log data from numerous sources and allow customers to parse that data to monitor application performance. Its customers include AirBnb,wilio, Netflix, EA, Spotify, and Warner Bros., among others.
Datadog said only its users with a stored password are affected, but it’s forcing a password reset on all users including those using Google Auth and SAML-based authentication.
“On the surface, they are using the correct password hashing option so that [database] may not be an issue, but they did say a customer reported some weird connection attempts so the attacker may have done more than just steal a customer [database],” said Rich Mogull, CEO and analyst at Securosis. “Or maybe they aren’t related, no way to tell yet.”
Becherer said Datadog agents were not affected by this attack.
“They were designed to never receive any data or code from our servers,” he said. “They are also isolated from our own infrastructure, only ever communicating outbound from your instances to us via HTTPS. Our agents do not send local credentials to Datadog servers for storage.”
The company said its services are operational, and that compromised systems and infrastructure have been rebuilt and vulnerabilities patched.
Datadog users should have received two notification emails today. One is the password reset notice, as well as a security notice sent to admin users with instructions to rotate and revoke credentials stored in Datadog.
“We strongly recommend that you immediately revoke or rotate any credentials in use in your Datadog account as described in our email,” Becherer said. “For AWS users, Datadog supports two mechanisms of integration. As you update AWS integration credentials we strongly encourage the use of AWS IAM Role Delegation. This stronger method of AWS integration prevents the sharing of security credentials, such as access keys, between accounts.”