We’ve just gotten word that development-outsourcing site Elance has suffered a security breach, compromising some user information that included names, addresses, phone numbers, and location (no financial information was taken).
Multiple users have received the following letter:
It has recently come to our attention that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information. This incident did not involve any credit card, bank account, social security or tax ID numbers.
We have remedied the cause of the breach, and are working with appropriate authorities. In the meantime, please take extra precautions in protecting your Elance account. For example, do not provide your login information on any site that is not http://www.elance.com, and NEVER give out passwords by email, over the telephone or on websites that are not the Elance site.
We sincerely regret any inconvenience or disruption this may cause.
For more details and ongoing information about this, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html
Michael Culver
Vice President
Elance
Elance’s security alert site reveals that the data was taken by hackers who discovered a security hole on the site:
The hackers discovered a security hole on an unprotected page that enabled them to access a data table that contained contact information including name, email address, telephone number, city location, and username, and that contained protected versions of user passwords, in an unreadable format called a one-way hash. Their attack did not access personal financial information such as credit card, bank account, social security or tax ID numbers.
In a bizarre twist Elance’s security site says that some of the stolen user data is now appearing on OutsourcingRoom.com, a competing service. Elance writes that it is working to have the data removed.
This is only the latest in a recent string of security breaches on major web services. It’s obviously nearly impossible to guard against every kind of online threat, but if we’re going to become comfortable having our entire computing experience in the cloud, things need to change.
When WebHostingTalk.com was hacked a few months ago, they also said “but no financial information”… until a few days later they realized all that was taken too.
OH…. WHAT ANOTHER TWITTER BREACH?
no one is safe.
thats why i believe in the govt taking care of my info. go NSA!
/sarcasm
This is indeed serious! How can Elance be so careless in saying that there was an unprotected page and through it hackers accessed data. The hackers may have very well hacked financial data too. God save Elancers!
Pretty scary. I’m glad I never used Elance and probably never will after this incident.
Are you going to post the confidential info for this company too?
LOL. That was a good one. But TC cannot know all the hackers in the world. What do you say Jason?
Not news someone who signed up for Elance yesterday wants to hear.
Thing is, I doubt any of the other sites are any better. Even if they’re not being hacked, they’re certainly full of spammers and chancers.
There’s definitely an opening in the market for a higher quality freelancer community.
Saw this item on Twitter. Found the story interesting. No site is safe. Damn clever hackers, wish I could get them to work for me on white hat stuff. Among the 8,000 domains we own. It’s a lot of work trying to find how the intruder got in and then plugging the hole.
Web app pen-testers are readily available on every continent. It’s ridiculous that elance failed to employ one…or if they did, they sucked.
given what was described, it’s plausible no financial information was taken (could be web app maintained only database write privs for financial tables.)
They were not hackers they were deep cover journalist… well I think that is what we call them now.
I can confirm this may be worse than they’re letting on. My company was one of those to receive this e-mail and we have recently seen the amount of unsolicited phone calls go from 0 to about 3 dozen this week… and while our publicly listed e-mail accounts have always been hit by spam, now a lot of our internal e-mail addresses have gone from a lifetime of 5 spam e-mails to over 20 a day.
Contact information is likely being sold.
If this gets worse it will be crippling to our customer communication infrastructure, at which point we’ll bring in a legal specialist to evaluate our options concerning the ToS and an auditor to calculate monetary damages.
I used a special address for my Elance account and haven’t gotten any spam … yet.
Maybe your network security was broken as well.
This is indeed an issue of importance. For people like us who buy and sell services through Elance, this is shocking news. As a long term Elance user, we can say that we have not had any security problem so far. Yes, selling of contact information can cripple our communication network and can result in downtimes. We hope financial data is not lost and Elance fortifies itself well in the future.
Wouldn’t obtaining some proof they are the source of your spam have to come before calculating damages? You have to win the case, and timing alone isn’t going to be convincing to a judge.
You raise a good point. Information thats public, eg in directory listings, on websites, etc that could be easily scraped and redistributed receive spam, but no where near the volume of spam that our more protected information has begun receiving.
This is likely because the more protected was sold as a very reliable information, the kind guaranteed to deliver the spam where you’d want it to go.
In any case, we can’t and won’t let Elance skirt by on this, and have to begin evaluating our options.
its sooooo sad
@Bennet – there is no need to get a lawyer involved. They are the scum of the earth.
If you ever want to discuss lawyers and why you have such a bad opinion of them… you should message me on MSN.
myfirstname.c.mylastname@live.com
Why would you say such a thing?
I know a wonderful lawyer who taught the most interesting business law classes at university then gave me personal recommendations to grad school.
And another great lawyer who’s a wonderful mother, balancing her home time and work as a lawyer, and recently defended a small site owner against a big company that wanted to take their domain for trademark infringement, when there was not even a semblence of similarity!
Easy way to get a tax break…
I have an account with Elance and have yet to receive this email – thank God. This does make me uncomfortable in thinking that in the near future a lot of my personal information will be accessible through these types of services and if hit by malicious activity then it would cause major disturbances to myself and the rest of their members.
its very bad….. hoe they are not goin to have much loss
its very unfotunate to see dese type of activities..
These days… http://www.armorize.com, seriously.
Connect Test auf TechCrunch
It is really surprising to see these comments, specially after elance has clearly mentioned that no confidential data was lost. Infact even the passwords were encrypted so the theives cant do jack s**t with the data. As far as names and email addresses are concerned, these are routinely available on the internet site such as four11 etc etc. so stop cribing. They have confirmed that this loss was over weeks back so if any damage was to happen it would have and since none of us has seen any repurcussions of this theft, there is none pending! Elance is a secure and safe marketplace and I am glad they have security in place to minimize such hackins.
You’re incorrect, we have realized losses and damages as a result of this theft. I doubt my company is the only one.
We were new to elance just this week, so find it curious that if the breach was discovered a few weeks ago why we should get this notification only after ‘upgrading’ to their paid service!
The service quite frankly is bogus. After a couple of days and discovering a number of shady bids, we realized that either it’s loaded with shill posters, or spammers.
Thus it seems the business model is to try to lure hardworking contractors like us to ‘upgrade’ from the free level.
@Shamit Khemka
> even the passwords were encrypted so the
> theives cant do jack s**t with the data
Actually, they can indeed do s**t with the data. And probably are doing s**t with it.
This topic is covered in most books on cryptography, but you can also read a very quick overview on wikipedia (see “Password cracking”).
Depending on their system design, it may not even require cryptanalysis to recover at least some of those passwords (e.g., if any of the hashes can be found in the variety of rainbow tables out there).
It is best to look at the vendor’s claims of security with a wary eye. In this case, I believe that Elance is understating the risk. Consider your password on Elance to have been compromised and change it on any sites that you may have re-used that password on.
Passwords “encrypted” with a poor hash function (which is not encryption at all) are just as good as plain text. Grab an md5 dictionary and if they have a password that generates the same hash as yours, they can log in to any other site using the same type of hash to “encrypt” your password… as you.
Is our credit card information safe with elance anymore?
When someone admit 1 thing, there are 10 things which are hidden…
They deserve it. I did a few jobs through them because they claimed to have dispute resolving. They didn’t. I lost about $4,000.
PLEASE POST SOMETHING ABOUT TWITTER ON TECHCRUNCH. IT HAS BEEN WAY TOO LONG.
Hi Michael,
Maybe you should start moderating the comments?
The trolls are really starting to get quite fierce..
I too have an account with Elance and have not seen an email, but it’s good to know when these breaches occur. Awareness is very important.
For those saying that they will never use a service after a breach – that’s like saying you wont go back to your house after it has been broken into.
For information on best practices for securing your information online you might want to read these simple tips;
http://www.gils...-privacy-online
I like how they add:
“In the meantime, please take extra precautions in protecting your Elance account. For example, do not provide your login information on any site that is not http://www.elance.com, and NEVER give out passwords by email, over the telephone or on websites that are not the Elance site.”
trying to subconsciously spin this breach as a possible user problem…
As to be expected I would have to recommend http://www.vois.com, no fees, no % taken, no security breaches
There’s about 2 projects a day posted there, the site itself is okay but the lack of users makes it worthless. I just get the odd invitation to bid on a $80,000 HTML project every few weeks.
Poor show vois.
Oh God
Nothing is safe these days. Told you those freelance marketplace is not a good idea.
Image how much valuable business data are in the platform.
what do you do with an eboil?
OMG so it is true there’s a HACKER WAR out there targeting anything they can get. WHEN WILL THIS MADNESS STOP. YOU HACKER B*STERDS. even got my fave forum targeted.
sigh…thank you elance for making me spend the entire morning changing my passwords
Just got that email actually, do you think there’s no possibility of those hackers getting financial data?
There are too many factors we’re not aware about to speculate. But if I were a member there with stored payment information, I’d be logging into online banking every day to watch for fraudulent charges.
> that contained protected versions of user
> passwords, in an unreadable format called a
> one-way hash.
The story evolves. The site now says “passwords were protected with encryption.”
Maybe Elance is naive about encryption and password hashes. Passwords that have been “encrypted” through a one-way hash are not necessarily “secure” — There are a number of factors that affect how easy/difficult it is to recover the original passwords. In the absence of additional information about their system design regarding password hashing methods, it is difficult to determine the risk. However, it is interesting to note that Elance is requiring all users to change their passwords. That is a veiled clue to users. It would be helpful if Elance was more specific and to-the-point:
Elance users should consider their passwords to have been compromised.
If the password you used on Elance has been used on other web sites, your other web site accounts are at risk, and you should absolutely change your passwords on those sites, and strongly consider using unique passwords for each site [reference this weeks' Twitter/TC debacle].
that’s fun, OutsourcingRoom.com database comes not from elance – i know it for sure as i have used different emails for elance and scriptlance (sl was hacked on 4th and they have no balls to issue emails about it, they just switch off forum and keep silence), so basically OutsourcingRoom.com have data from sl database as they spaming me utilizing email dedicated to sl, not generic one i’ve used for elance.
heck it looks like a war, 2 freelance sites hacked within a month.
I found the phones database of Elance…
Look to the twitter!
https://twitter.com/denparker
Download it – http://rapidsha...phones.zip.html
I thing Elance sold the database…
Soon we’ll see our credit card info on rapidshare…
Hate elance(
I hope that the credit cards are kept safe. Again, why the fuss if they only took the more-less public data?
Smells bad to me…
I anyway did not work with elance the past 6 months, as the economy collapsed. People from India and China work basically for a “thanks”.
Now, is there a reason to keep my elance profile? Should I trust them? Heh….
CEO CyberBionic Systematics Dmitriy Okhrimenko about OutsourcingRoom and Elance
http://outsourc...urcingRoom.aspx
Elance lost also creditcard numbers, The hacker already abused my card. Mastercard locked my creditcard yesterday.
I own an account in Elance so I was surprised that my info were in OutsourcingRoom.com which I do not remember signing up. I think I discovered this way back prior Elance has discovered an attack
There is more to it. I received numerous messages which appear to be daily summary for projects on elance none of them have anything to do with me.
The summaries have private messages for those projects, with project details, email/phone as signature.
Jason – Where can I email a screenshot?
Didn’t realize the thread is from July. The emails I got were last night. I guess most likely some code screw up?
I am sorry, but my credit card information was stolen from elance. I’ve got a statement from the bank with some unusual transactions, all from the USA and I live in the UK. Fortunately had no big money in it. Should contact elance now and ask.