We have detected an attack towards AdGuard servers. The most important thing is: AdGuard servers were not compromised. Malefactors used existing databases of email/password pairs previously leaked by different companies. We believe that attackers were able to access some of the accounts, but only few of them which owners used the same compromised email/password pair. If you are not one of them, your personal data was not leaked. We made a desicion to reset all users' passwords anyway, mostly as a preventive measure.
- Today we detected continuous attempts to login to AdGuard accounts from suspicious IP addresses which belong to various servers across the globe.
- These attempts were stopped by a rate limiter which is an obvious measure against bruteforcing users' passwords.
- However, rate limiting is not enough when attacker already knows what password to use. Unfortunately, this seems to be the case. The pairs of email/password used by intruders belong to known databases of leaked accounts.
Where do these leaked databases come from? There were numerous data breaches where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. Some notable examples are breaches of Yahoo, Adobe, VK and many more.
What we did to protect you
- As a precautionary measure, we have reset passwords to all AdGuard accounts.
- We have now set stricter requirements for AdGuard account passwords.
- We have connected to HaveIBeenPwned API — a website that collects data about all known compromised passwords. If the password that you are entering is found in the database of leaked ones, you will see a warning.
Is your account compromised?
We don't know what accounts exactly were accessed by the attackers. All passwords stored in AdGuard database are encrypted so we cannot check whether any of them is present in the known leaked database. That's why we decided to reset passwords of all users.
Just in case, you can check out haveibeenpwned.com and see for yourself if your data was leaked in any of the known data breaches.
Note that your license keys are safe as long as they are binded to devices that you use them on, and nothing bad can happen to these keys. You can continue to manage them via your personal account.
Got it, what shall I do?
You need to set a new password. As we said, we have reset passwords of all users, therefore, to regain access to your account, you need to click on this link and follow the instructions to create a new password. The overall number of compromised accounts is no more than a couple hundreds.
We apologize for the inconvenience, but you know that we care about our users and their data privacy and had to promptly take action. Thank you for understanding!
After this accident we strongly considered introducing the two-factor authentication. We physically can't implement it in one day, but this will be our next step and we will let you know about it as soon as its done.
UPD: the introduction text has been modified to better convey the meaning of the article