Second time this Summer we write about Elance, a service that allows for companies and individuals to hire and pay independent professionals and contractors online, and once again it’s not good news but another security issue. A registered user of the service, Salma Jafri, tells us she has been receiving dozens of private messages that were erroneously sent to her account, on occasion even containing confidential information and sensitive data such as login details for Elance accounts and third-party servers.
The company has been alerted to the problem by members since the security breach became apparent a couple of hours ago, but Elance has apparently not dealt with it yet nor responded to any inquiries, says Jafri and numerous others in the website forums. We’ve contacted the Mountain View company as well but haven’t heard back so far.
Something’s seriously wrong though. Members are complaining in the forums (screenshots below) that they’ve received over 50 e-mails so far that were not meant for them. Several of them reportedly contain sensitive data from clients, like login details and private information about their accounts and activities.
Elance members reading this: you might want to verify what you’ve sent your clients the last few days and change any login credentials you’ve passed on. Who knows who else has been reading along.
(Thanks for alerting us, Salma)
Elance’s CMO Brad Porteus, has issued a statement confirming and apologizing for the breach in security:
Here is what we know so far about the Daily Summary emails that many have reported receiving earlier today.
Once a day, Elance sends an email (to those who elect to receive them) that summarizes the previous 5 messages posted in the digital Workrooms that facilitate collaboration between service providers and their clients. Such communications are typically messages that occur either in real-time between parties or are left in a bulletin board format.
Yesterday, one of our engineers made a change to the script that initiates this nightly process. The changes were tested, but the errors were not identified. As a result, last night’s batch of such Daily Summary emails were initiated at 1:30am Pacific time, and unfortunately an unknown number were erroneously sent to parties that were neither the provider nor the client. The error was discovered at 2:30am and the process was halted by 2:50am.
The sending of daily digest emails has been stopped until such time that we can be assured that this error has been fixed.
This mistake happened due to human error on our side. It is inexcusable and we are sorry for it.
Our immediate priorities are to focus on understanding the impact these messages have had (how many were sent and to whom), and then to proactively communicate as appropriate to all parties who have been affected. This will take some time, so please be patient while we figure everything out.
No one’s minding the store – apparent that they don’t have any means of getting alerted to problems 24/7.
That mouse over ajaxy image stuff is annoying and disconcerting, please turn it off.
Seconded.
Thirded.
but don’t you guys wanna share your links???????
+1
It stinks. Ditch it.
Agreed. It looks cool but is just annoying.
All the more reason not to send passwords by email.
You mean by eLance private message?
Another reason why I hope you guys will give http://www.vois.com a try! No membership fees, no % of earnings taken, and totally decentralized!
Just had a look Craig. Not much there, but it looks nice. Elance has become the haven to $3 per hour Indians.
Doug we are trying to show that the domestication of outsourcing could take place in your own town, not realizing that there is local talent nearby! Hopefully we will get more projects, which in turn will bring more providers!
How could this happen? Yesterday my elance account gets suspended and now I am receiving tones of emails from projects I don’t no anything about…. I can’t even post on the forum because of the suspended account. This is stupid their upgrade was a complete FAILURE. hink they can get sued for this. It is a serios security problem. I think I have about 4 emails that contain user accounts and passwords ….
well yesterday odesk.com was also messed up — they closed *everyone’s* projects.
Here’s the message they sent people:
We are currently working on a known bug, and expect resolution soon. With this bug, all active openings have been closed early, and all assignments have been lost,. We are restoring as we speak, so please do not recreate the opening or reapply, and updates for this issue will be posted in the community forum as they become available. We have every intention of restoring the openings to the previous state, and we will keep you posted. You can link to the Forum here: http://www.odes....com/community/
Thats what happens man when you you pay $5/hr to indian to write your software.
Congratulations for that comment.
Yes, and if you pay $50/hr to john and his friends – you won’t even get broken code back. you’ll just get tons of attitude and overinflated sense of entitlement.
$5/hr indians sound like a much better deal to me.
+1…
I woke up this morning to find the details of over 80 different projects in my inbox.
I’ve been sent SQL Server sign-in information, administrative credentials for servers, and even payment info.
What I don’t understand is how there is no response whatsoever from eLance on this matter. Nothing on the homepage telling us they’re looking into the problem. Nothing in help. Nothing in e-mail. Nothing on the blog. 80 posts on the forums and no response from eLance
They’ve just violated the privacy of 80 paying clients! And no response!
This is after a couple of months ago where our passwords were compromised.
I’m not paying $20/month for utter incompetence anymore.
they just put up a blog announcement here:
http://www.elan...com/p/node/7245
I think they just REMOVED themselves from the Gene Pool. The legal repercussions this has is insane..and will wipe them out.
That’s what u get hiring $3/hour indians….
did some one loose their job to an Indian I am guessing?
You know where you can get quality engineers to fix this problem? elance.com!
Ha!
Though even $3 Indians could not have made such a silly mistake!
For many years, the Boston Globe would send out emails in such a way that if you reply to them and you have the same email provider that I do, the reply would go to me.
So periodically I would get credit card details mailed to me, people would ask me why their ad selling their porn video collection didn’t appear in the sunday edition, that sort of thing.
emailed the Globe and they refused to even acknowledge the problem. And all they needed to do is add their own domain name to the appropriate field.
hmm, so maybe this is why code review was invented.
Perhaps elance could explain its development methodology and how they will be improving it
Maybe they should try giving one of their own tests too
For those people following this, here’s an update.
A “daily summary” email notification from 73 Workrooms were mistakenly sent to unintended recipients early this morning due to human error.
This email notification is sent to subscribers once a day with a summary of the day’s communications from the Workroom.
We’ve notified all affected parties, and are keeping our community up to date here:
http://www.elan...ail_update.html