What is Tidepool’s Responsible Disclosure Program?
In addition to robust security policies and practices actively maintained by Tidepool’s Security Team, Tidepool runs a Responsible Disclosure Program that is designed to provide a safe and responsible path for security researchers to report security bugs to Tidepool that represent risk to the confidentiality, integrity and availability of our services, software, users, employees, or their data.
Regarding this credential exposure incident, what was disclosed to Tidepool?
Tidepool user credentials had been discovered in an online database composed of compromised web credentials (user emails, passwords, and account profile URL) that had been acquired via spyware, malware, or network security compromise.
Which online system contained the evidence of this disclosure?
The security researcher let us know about the exposed credentials on a system known as phonebook.cz. The repository of leaked credentials also included other systems.
Was Tidepool’s security system breached?
No. Tidepool has performed an extensive investigation. There is no evidence that our systems were breached.If Tidepool’s systems weren’t breached, then how did the usernames and passwords for these users get exposed?
It’s likely that each of these users was subject to a vulnerability on their personal systems. This could have been through a virus on their personal systems, or a malicious application or browser plugin that intercepted local network traffic or keystrokes.
Who was impacted?
The credentials of 77 Tidepool users were identified in the online repository, representing 0.01% of our users.
What did Tidepool do in response to this disclosure?
After investigating and validating the security report, impacted users were notified by email of the need for Tidepool to perform a forced password reset on their accounts.
If Tidepool’s systems were not breached, and this only impacted 77 users, why are you telling everyone?
Tidepool believes in radical transparency. We wanted to share with our community this opportunity to review their personal online security practices.
What does Tidepool do to protect user credentials?
Tidepool uses industry standard mechanisms for storing and protecting user credentials. All credentials are stored in an encrypted database as a secure hash, which is then “salted” to ensure only Tidepool applications can decrypt the data.
All application traffic and data is protected using strong cryptography (256-bit AES) which ensures that application traffic cannot be intercepted and decoded.
How could this happen if Tidepool is encrypting traffic and data?
If a local system or trusted network is compromised; or a piece of software like a “bad’ browser plugin is given permission to inspect traffic, it is always possible to capture data.
What can I do to protect myself from incidents like this?
Here are some of the things we do here at Tidepool:
1. Use a password manager (we use 1Password at Tidepool).
2. Use a credible anti-virus program (we use BitDefender at Tidepool).
3. Patch your devices and software automatically.
4. Enable 2-factor authentication for all services that provide it.
5. If an email or text message looks suspicious, or requesting information be delivered to an unfamiliar source, do not click the link.
You also may wish to look for evidence of compromised user credentials using a password manager (for example, the Watchtower function of 1Password), or using a trusted web site like https://haveibeenpwned.com/.
There are a lot of new and creative ways for bad actors to get a hold of private information. Some Tidepool employees have even received an email from someone trying to impersonate our CEO. Emails from Tidepool will only come from an address with the domain @tidepool.org - like the one you may have received about resetting your password and we will continue to do our part in trying to keep the internet a safer place.