We have detected a vulnerability in one of our Tenfour.org servers that could have caused some user data to be exposed. We have secured the affected services, and while it is not certain that any user data has been obtained by a 3rd party, there is potential for it to have happened. Because of this, we notified all the affected users within 72hs of discovering the issue (as soon as initial research was done).

After the notification period, our team continued researching the problem and confirmed that an AWS bucket containing data about some users (uploaded through the "Import contacts" TenFour feature), which initially was thought to be potentially exposed, was actually not accessible by using the leaked credentials.

Based on this finding, this Is the updated potentially leaked information:

- If you aren't a TenFour organization owner, your data was *not* leaked. This was confirmed today by our team.

- If you are a Tenfour organization owner, the following information could have been accessed, provided you added it during the signup or upgrade process:

  • Last 4 digits of credit card number
  • CC expiration date
  • Country of issue for your credit card
  • Full name
  • Email
  • Phone number

We have taken the following measures

  • Regenerated all access credentials to our servers and services related to tenfour.org and revoked old credentials.
  • Identified any potentially leaked data and notified affected users.
  • Notified relevant authorities of this potential data breach.
  • Applied a patch to the vulnerable code, to eliminate the vulnerability.
  • Worked on more research after notification (this update)
  • Started working on better processes to prevent the same thing from happening again.

What You Can Do to protect yourself

If you detect any suspicious messages being sent to your phone, email, or any correspondence you cannot identify as legitimate, please do not respond to it and be extremely wary of any links or instructions sent by it. Ushahidi will never ask for your password or full credit card numbers to be sent through one of our communication channels such as Intercom, SMS, Twitter or email.

For more information about this issue please contact data@ushahidi.com.