Quick Summary: Bad actors are using stolen passwords to access customer accounts, and then using the API keys from those accounts to siphon off small portions of traffic.
Please note: There has been no security breach on Everflow’s side.
How the fraud actually works: Using the API key, the bad actors are changing the destination URL for three to five minutes every hour to send traffic to their offers, instead of the original destination.
This is likely a widespread issue: Our monitoring caught this fraud tactic quickly with only a handful of Everflow clients impacted; however, our investigation and conversations with customers confirm that this fraud tactic is being used to steal significant volumes of traffic from networks and agencies across non-Everflow platforms.
We advise all networks and agencies to investigate their campaigns for suspicious manipulations of their destination URLs, and to take the security precautions below.
The full story:
In December, Everflow’s internal monitoring detected spoofed login activity for several customers. We notified the customers and confirmed that this activity was caused by external bad actors. Further research concluded that the unauthorized access was associated with users reusing passwords across multiple websites, and that password information had been stolen in a breach of one of those websites (not Everflow).
The bad actors were using these stolen passwords to access customers’ accounts, obtain their API keys, and then use the API to siphon off portions of traffic to their own offers.
This issue was caught quickly and promptly resolved for our customers.
Further investigation by our customers confirmed that similar fraud techniques had also been used to steal traffic from their partners who were using non-Everflow tracking platforms. Please be advised and stay vigilant with your traffic and partners.
Here is how you can protect yourself from this issue:
- Turn on 2FA on all Everflow user accounts. This will stop unauthorized activity regardless of the password being compromised.
- Avoid using the same password across multiple websites. These websites can be breached without you knowing, leading to the passwords being stolen and re-sold on the dark web.
- Use unique passwords for each user to avoid shared passwords from being exploited.
Quickly catching this new fraud tactic and bringing it to our customers' attention is further proof of Everflow’s commitment to provide the best service and experience for our customers.
If you have further questions on this issue, please reach out to your account manager or email privacy@everflow.io.
Bonus FYI:
Could Everflow’s user passwords be breached? The answer is no! Every password is automatically hashed and salted, which means they can’t be accessed by anyone (including us).