I have a few questions...

@zkat Apparently. I didn't even know the slang meaning until people started pointing it out to me recently. I have yet to find a good explanation for the name.

Still waiting on promised postmortem. Latest update from Saturday:
"A security researcher privately disclosed a vulnerability that allowed access to production credentials. We've fixed the underlying issue and are actively working on additional hardening.

As a precaution, we immediately rotated our most sensitive production credentials."

PostHog Status

Current status of PostHog services

(www.posthogstatus.com)

@foone Expect a vortex shortly due to the rip in the space-time continuum you've created.

@olearysec Yeah, I posted about it here: https://infosec.exchange/@AlesandroOrtiz/116661218239511606

Was still really hoping you were right.

Kudos to PostHog for the real-time disclosure at least. They could have disclosed this in a quiet blog post a week from now. Only customers subscribed to app status page incidents would be notified via email, so also need to see how they notify customers directly who aren't subscribed to status page.

Also #hugops since security incidents are never fun.

@olearysec Update: It's a security incident of sorts.

Alesandro Ortiz 🇵🇷🏳️‍🌈 (@AlesandroOrtiz@infosec.exchange)

Attached: 1 image Sounds like an external security researcher was able to access one of PostHog's AWS environments. Also note the quiet update of the existing status (same timestamp as earlier update; no email sent out to incident subscribers). "We are rotating keys after a security research team was able to confirm an exploit in one of our AWS environments. We're working with the security research team on the issue. No keys were publicly available, and no data has been compromised. You may see impacts on exports, reverse proxies, and other services. We'll have more updates as we continue to work on this incident." https://www.posthogstatus.com/incidents/01KSV6HJYKG5QJAP8HVTSQVSM1

Infosec Exchange (infosec.exchange)

Sounds like an external security researcher was able to access one of PostHog's AWS environments.

Also note the quiet update of the existing status (same timestamp as earlier update; no email sent out to incident subscribers).

"We are rotating keys after a security research team was able to confirm an exploit in one of our AWS environments. We're working with the security research team on the issue. No keys were publicly available, and no data has been compromised. You may see impacts on exports, reverse proxies, and other services. We'll have more updates as we continue to work on this incident."

PostHog Status

Current status of PostHog services

(www.posthogstatus.com)

@olearysec AFAIK this is the first time they've done any planned maintenance that impacted web app availability, going back several years.

There's been many unplanned issues that impacted web app availability, but none cited anything similar to this (like key rotation or security exercise).

I hope you're right and they forgot to announce it, but also seems unusual given they haven't done this before in a way that impacted web app availability, either as planned maintenance or unplanned maintenance. All the unplanned maintenance affecting web app uptime I've seen has never cited security exercise or key rotation.

I have a few questions... "Security exercise" sounds planned but this is "Unplanned maintenance" on a Friday night.

Is PostHog rotating keys due to a security incident?

PostHog Status

Current status of PostHog services

(www.posthogstatus.com)

@SwiftOnSecurity I was just telling my Dad over the phone to install Paint.net but NOT to go to Paint.net, and to not Google "paint.net" because they might click on a malicious ads.

@retrohistories I agree. Honestly surprised it has remained untouched through the current era. I thought it would be one of the first things to go given the blatant disregard of facts by top accounts and the audience they want to keep.

@mjg59 Took me a minute to figure out what was hooked up to the front. Thought it was for golf cart aerodynamics for a moment.

Those back carts can carry a lot too, especially with the people.

@gsuberland Can't unhear.

@freddy Obligatory ADHDinos comic: https://www.reddit.com/r/ADHDinos/comments/1shui3s/self_improvement/

@rebane2001 Nice find! I should have woken up earlier to see the details.

@zackwhittaker Is your article about the March 24 notification on their website?

https://www.nychealthandhospitals.org/pressrelease/notice-of-data-breach/

No one in my family has received paper or email notices about this. I learned about it now through your article.

I've been personally affected by lots of data breaches but this one is particularly bad.

@SwiftOnSecurity Thought this was one of @gsuberland's Unsafe Warnings stickers.

@SecureOwl Followed by:
- Malicious ad fingerprints your browser and runs a zero day exploit.
- Your AWS, GitHub, and npm credentials are exfiltrated within seconds.
- Within 5 hours you are triaging a widespread supply chain attack that started with you typing in a domain name and pressing enter.

@GossiTheDog Do you think U.S. authorities could be investigating NightmareEclipse due to their disclosures?

I imagine Microsoft is investigating internally to determine if it's someone with previous/current access to internal info that is still legally protected (by contract or law).

Based on their posts, MS might already know their identity if they have interacted with this person via MSRC and have their payment info for the bug bounty programs.

@benjojo Unrelated: TIL about eu.com, a US company pitching itself as a workaround to .eu TLD restrictions.

It's hilarious it's found a market despite easy alternatives like "companyname-eu[.]com".