Solarwinds sends customers each others' complete client lists
Some furious, others rather interested
Software company Solarwinds, which sells IT management tools, has infuriated customers after a faulty alert exposed customers' entire client lists to their competitors.
An unspecified issue affecting the Texas-based business' RemoteManagement tool, which it gained after acquiring Dundee-based LogicNow, led to a mass leaking of business data last Friday morning.
Alerts designed to notify customers of "Inactive Workstations Marked for Removal" were sent not just to those workstations' controlling customers, but also to all of their competitors within the same region.
An email sent by Solarwinds to customers admitted to the issue:
We recently observed some isolated, unusual activity related to your account linked to the latest software update of the RMM dashboard.
A bug in this update created a dashboard-generated email to you that shared information pertaining to workstations that were to be uninstalled/registered as inactive; the email included information, such as client, site and workstation. This email may have been communicated to others, including VARs not affiliated with those accounts. The impact was mostly limited to EMEA and to specific geographies within that region.
We stopped the propagation of these dashboard-generated emails at approximately 0800 am GMT time, and no additional accounts were impacted. We have remediation steps in place to prevent the occurrence of this going forward. Note: This was a bug in the latest update, and there is no evidence that there has been any nefarious activity.
We are continuing to monitor this situation very closely, and we apologize for any inconvenience.
If you have any questions, please contact me directly.
John Pagliuca, SVP MSP
These devices were identified by client and site names, providing roughly 100 companies within the same sector with fairly rich data on their competitors' work.
The general response to this breach has been one of fury, though several individuals additionally confirmed to The Register that they had been enjoying taking a thorough look at their competitors and inferring a lot about them and their practices.
Most affected companies that had been in touch with The Register complained that Solarwinds had yet to respond to their complaints, while account managers at the Texas business have yet to offer anything other than a copy-and-paste response to their concerns.
On condition of anonymity, one individual from an affected business told us he was "livid about this data breach".
On the morning of 3 March 2017, we received dozens of mails listing computers, clients and client sites. The emails were supposed to be administrative alerts to highlight defunct PCs. We received details of thousands of PCs managed by competitors and a list of our client information was sent to our competitors.
15 hours after the incident, Solarwinds sent [the above email, stating:] This was a bug in the latest update, and there is no evidence that there has been any nefarious activity.
Well that's alright then! Nevertheless we are changing all passwords.
A Solarwinds spokesperson told The Register: "On March 2, 2017, SolarWinds MSP released a software update to its Remote Monitoring and Management (RMM) product. A bug in the RMM EMEA dashboard in this software update created dashboard-generated emails that included limited customer information to a small set of MSPs/VARs not affiliated with those accounts.
"This dashboard functionality was promptly disabled, and we stopped the propagation of these dashboard-generated emails at approximately 0800 GMT on March 2, 2017. Since we have disabled the functionality, no additional accounts were impacted.
"We are managing the information disclosure consistent with our regulatory responsibilities and have been in touch with the limited number of customers impacted to explain the situation. We have taken appropriate measures to remediate the impact and to prevent future recurrence." ®