BrowserStack HACK ATTACK: Service still suspended after rogue email
Admits breach, but only within email address list
Browser testing service BrowserStack has temporarily suspended its services while it recovers from a "hack attack" by someone apparently bent on discrediting the security of the widely used tool.
"We did get hacked. Currently sanitising entire BrowserStack, so service will be down for a while. We're on top of it and will keep you posted," the firm said in an update to its official Twitter account early on Monday, today. "The hacker’s access was restricted solely to a list of email addresses. We'll be back up in a few hours. Sincere apologies," it added.
The admission came hours after developers who used the service received a weird email from BrowserStack suggesting that the service is shutting down. This looks like a hoax by a mischievous prankster who somehow obtained access to BrowserStack's official email account and mailing list.
The rogue email (copy via Pastebin here) claims that BrowserStack was "vulnerable to hacking" (self-evidently true), hopelessly insecure for various reasons (unproven) and about to shut down (wrong). BrowserStack's website — if not its service — remains available.
Developers are calling for BrowserStack to respond to the content of the rogue email which, regardless of its provenance, has raised security concerns. BrowserStack has responded by saying it will get back to its customers with a post-mortem but for the moment (quite understandably) it is more focused on hauling itself back up from the canvas after taking a heavy blow.
"We will post a post-mortem of the attack. Currently efforts are focused on getting the service back on track, and protecting user interests," it said.
BrowserStack provides websites developers with web-based access to real browsers for cross browser testing. The service — which boasts 25,000 customers globally including big names such as Microsoft, eBay, Visa and Johnson & Johnson and 520,000 registered developers — incorporates local testing, mobile devices and pre-installed developer tools. ®
El Reg was forwarded a copy of the rogue email, a copy of which was posted on Pastebin, via a trustworthy source. Going purely from the email itself it's very difficult to say whether it was sent by a prankster hacker intent on causing the maximum amount of mischief or a disenchanted internal employee on the point of quitting. Either way there's no obvious profit motive. The incident prompted one developer recipient to speculate: "Whose Cheerios did you guys piss in?" — a sentiment we can only echo.
Sponsored: Becoming a Pragmatic Security Leader