We have confirmed, based on a recent investigation, that limited user data was leaked on Sunday, May 29th 2022 impacting 26 of our cloud users.
During an unexpected state of our services due to a service migration, we encountered some authentication conflicts. During this time window, these conflicts led to some users connecting to our services (379 users in total) to being wrongly authenticated and potentially seeing some other users’ files belonging to 26 impacted users, restricted to files that have been uploaded by affected users during this time window.
These files could have been pictures, videos, or any file stored on the cloud by those users. This leak did not affect email, calendar or contacts.
The bug happened at 8:59AM UTC and was corrected at 9:15AM UTC on Sunday 29th of May.
Our investigation helped us identify potential holes in our processes that we have fixed since then.
Below are FAQs containing details about this issue and steps that users can take to help protect their accounts.
What happened?
Between the 26th and 29th of May 2022, we conducted major migrations of our cloud services, moving to a new infrastructure with a double purpose:
- we have added the foundation for an SSO (Single Sign On) mechanism that will allow all users to authenticate using only one account across all our websites, instead of having a dedicated account for each of them. For instance, users of community.e.foundation will eventually be able to sign in to gitlab.e.foundation with the same account.
- we have deployed a new user interface at ecloud.global, and new features, that will make users’ life easier and the service more appealing.
This migration has gone globally well until Sunday May 29th, when we detected a human error with one of the final migration scripts that was meant to fine tune the system performance.
On Sunday 29th of May, between 08:59 and 9:15 UTC, this error lead to an unexpected state of our cloud services, when we encountered some authentication conflicts. Some users may have been authenticated as a different user and might have seen other users files, potentially all files uploaded in this window have been distributed to other users requesting, at maximum 297 times in total according to our findings.
This bug didn’t impact email, calendars or agenda.
The bug was corrected, the authentication issues have been resolved at the end of the above time window. The service is working properly since then.
Was my account affected ?
We have notified by email the 26 impacted users that uploaded data during the impacted time frame.
We have notified by email the 379 users that potentially received some other users’s files during the impacted time frame.
What content has been leaked ?
222 files leaked in total. Files could have been pictures, videos, or any file stored on the cloud by those users. This leak did not affect email, calendar or contacts.
I have received an email saying I was one of the 26 users impacted, what shall I do?
Please ensure that you follow the guideline received in this email to ensure your files are properly synchronized in your personal cloud space.
I was one of the 379 users that could access other’s data, what shall I do?
You should have received an email communication from our cloud admin team. If it is not the case, please contact us at: security [at] e [dot] email
What is e F****oundation or now Murena.io doing to protect my account?
We have taken action to protect our users, including:
- We have notified affected users.
- We are asking affected users to check their synchronization.
- We are actively working to implement end-to-end encryption for our cloud services.
- We continue to enhance our systems that detect and prevent unauthorized access to user accounts.
- We continue working to improve our administrative processes on this matter.
What this leak shared with the authorities?
We have reported this incident to the authorities shortly after the incident, as we are required per law.