Send urgent or sensitive reports directly to the support center.
Have you discovered a web security flaw that might impact ProZ.com? Please let us know. If you submit a report, here is what will happen:
On November 20, 2012, at around 09:55 GMT, ProZ.com's dedicated ad server was infected with malware. That malware was active for about four hours, after which time ProZ.com's banner ads were turned off. The cause was determined to be known vulnerabilities in out-of-date versions of the ad server software. The ad server was reinstalled with the latest software, and brought back online.
Then, on December 3, 2012, the ad server was infected with malware again, between 11:55 and 13:08 GMT. The infected ad server was taken offline again--this time, permanently.
The direct effect of this malware is that a site user who visited a page with banner advertisements could have received content from, or could have been redirected to, a site other than ProZ.com. It is possible that this content could have been malicious. This caused alerts to be issued by some antivirus programs (such as Norton, Avast, and Kaspersky.)
Beyond redirects, there have not been any substantiated reports of service interruptions or other consequences from this malware. However, anyone who accessed ProZ.com during this time is strongly advised to run an anti-virus scan as soon as possible, even if no symptoms have been noticed. If you don't have anti-virus software, try the free Avast anti-virus (for Windows and Mac) and MalwareBytes anti-malware programs.
Any user who viewed a ProZ.com page containing banner ads between 09:55 and 14:00 GMT on November 20, 2012, or between 11:55 and 13:08 GMT on December 3, 2012, could have been affected.
Email notification has been sent to users who appear to have viewed ads during this time.
The ad server software that enabled this exploit has been taken offline permanently. ProZ.com will switch to Google's ad service (DFP Small Business).
Users who may have been affected by this incident are highly advised to scan their computers for malicious software using a tool such as the free MalwareBytes anti-malware utility and/or the free Avast anti-virus program. If any malicious software is found, follow the utility's instructions to quarantine or remove it.
If you think you were affected by this incident, please notify ProZ.com staff by submitting a support request.
Yes. The malware causing the redirect / loading of third-party content was found and removed.
What was found by ProZ.com would not have infected your machine. However, the possibility can not be ruled out that the site or sites users were being redirected to (or served content from) could have tried to install something worse than a redirect script. It might not even take any effort on the part of the user to become infected, especially if up-to-date anti-virus software were not being used.
Some users running Norton anti-virus software received an alert about an attack it called "Exploit Toolkit Website 4". According to Symantec, this attack attempts to exploit various vulnerabilities, including those in outdated versions of Adobe Reader and Adobe Acrobat. See more information about this report from Symantec.
Other reports have indicated that the malware may have tried to run a Java application, possibly exploiting vulnerabilities on outdated versions of Java.
Keep your software up to date, and enable automatic updates when possible. Malware attacks are common against outdated versions of Java and Adobe products, for example. Install an anti-virus program and keep it up to date.
Possibly, though there have been no reports of Mac users affected by this issue.
Contrary to popular belief, Macs are not immune to malware. Mac users should make a point of keeping their software up to date just like Windows users should, and consider using an anti-virus program. (Avast and ClamXav make anti-virus software for Mac.)
Note: the incident described below could potentially have affected up to 8,000 site users. Chances are you were not affected, but please read the following and take the precautions described if you feel you meet the description of one of the potentially affected users.
In at least one instance, a user who viewed the banner ads received an intrusion alert from her Norton Internet Security software, reporting an "MSIE Java Deployment Toolkit Input Invalidation" attack. This type of exploit could allow an attacker to install a Java application on computers with vulnerable versions of Java.
ProZ.com staff have not been able to reproduce such an attack from viewing these banner ads. However, the conditions in which the ads were displayed made such an exploit possible, and given the report from an affected user the decision was made to take down the banner ads and issue this announcement.
ProZ.com has updated its advertising policy to disallow third-party advertisements from containing scripting or active content that might pose a similar threat in the future.
Many thanks to member Alison MacG for bringing this issue to the attention of ProZ.com staff.
Any user who viewed a ProZ.com page containing these banner ads between 12:30 and 22:30 GMT on 23 Feb 2011 could have been affected. The banner ads in question were for "24-Hour Fitness". They were displayed to users who appeared to be in the United States, Canada, or the United Kingdom. Though the ads were shown to only a small percentage of users, if you accessed ProZ.com during this time it is possible that you may have been affected.
Email notification has been sent to users who appear to have viewed pages containing the ads in question.
Of the users who viewed pages containing the ads, those running affected versions of Java were vulnerable to the reported attack. The vulnerability was introduced in Java 6 Update 10, and fixed in Java 6 Update 20.
Because ProZ.com staff have not been able to reproduce the exploit, it is not known what the potentially malicious code would do if it had been allowed to run.
The "MSIE Java Deployment Toolkit Input Invalidation" attack reported by the Norton Internet Security software could have allowed an attacker to install a Java application on vulnerable computers.
More information about this type of exploit can be found at the following links:
Users who may have been affected by this incident are encouraged to scan their computers for malicious software using a tool such as the free MalwareBytes Anti-Malware utility. If any malicious software is found, follow the utility's instructions to quarantine or remove it.
If you think you were affected by this incident, please notify ProZ.com staff by submitting a support request.
It is possible to test how an attack like this might affect you by visiting this test page created by the person who originally discovered the vulnerability. That page will attempt to make your computer run the Windows calculator program (calc.exe). If the calculator runs without your consent, you are vulnerable to exploits of this kind.
ProZ.com has updated its advertising policy to disallow third-party advertisements from containing any scripting or active content, so that this type of incident cannot happen again.
Macs may also be affected, if you are running certain older versions of Java (less than version 1.6.0_20). If you are running Mac OS X 10.5 Update 7 or higher, or Mac OS X 10.6 Update 2 or higher, you should be protected from this exploit.
Possibly. The vulnerable Linux versions of Java have the same logic error as the Windows versions, but it appears that different attack code would be required to exploit the vulnerability in Linux than in Windows. If that's correct, it seems unlikely that the reported attack would affect Linux systems.
Some technical details can be found here.
Please ask via ProZ.com's online support system. The support team is standing by to answer questions related to this incident. As questions come in, they will be added with their answers on this page.
Certain ProZ.com user information -- including private data -- was accessed improperly by a site intruder in June of 2009. The following forms of data were accessed:
The security breach became apparent after some ProZ.com users reported receiving unsolicited email from a website called outsourcingroom.com (or oroom.com). Others reported finding that their personal information had been used to create profiles at that site without their permission, and an investigation was launched.
The security hole that was exploited was filled, and a number of steps were taken to make it more difficult for exploits of this nature to be performed in the future.
Hackers exploited a weakness in ProZ.com's security systems. The problem has since been fixed.
No. In fact, ProZ.com does not store such data.
Profiles at least three years old.
There was an automated routine that attempted to access the data in profiles one by one in sequential order. If your profile was created before May of 2006, unfortunately it is reasonable to assume that your data was accessed.
Yes, it is reasonable to assume that your data was not accessed. Note, however, that if you are are registered with Elance or other similar services that were accessed by the perpetrators, your data may have been accessed through another source.
There is a search function on the site. (Try searching for both your last name and your ProZ.com username.) You may also enter a support request to ask about your specific profile.
If your name is there, it is likely that your email address has been obtained, and it is therefore possible that you will receive unsolicited email. If you have a telephone number in your profile, it is possible (but not likely) that you would be called.
Yes. A number of users have reported receiving unsolicited email inviting them to register at "oroom.com", which was described in terms similar to those used to describe ProZ.com, Elance and similar services.
If you maintain a spam filter, you may want to filter out email from "oroom" and "outsourcingroom".
Not to our knowledge; there have been no such reports.
No. The data accessed in this incident does not include the types of data normally associated with identity theft, ie. credit card, bank info, national identity numbers, etc.
Spam is the worst that anyone has reported as a direct result of this incident.
Not necessarily. It may be that your information has been posted, but is simply not coming up in a search. It may also be that your information was obtained, but for some reason was not placed on the site.
Since the passwords were encrypted, and therefore not human-readable, it is unlikely. Still, it is good practice to use passwords that are difficult to guess, and to change your password periodically. (For additional reassurance, it is now also possible to view data on any open logins you have.)
If your password is "uncle3pablo", what is stored in the database is something completely different: an encrypted version of the password like "dW5jbGUzcGFibG8=". What was accessed in this incident were the encrypted versions. If a person attempts to log in to your account with the encrypted version of your password, it will fail.
It is generally good practice to select complex passwords and change them periodically, and in this case it is an added security precaution.
Yes. Several sites were hit similarly around the same time. (Some ProZ.com users with profiles less than three years old have reported finding profiles created for them at outsourcingroom.com, and upon investigation concluded that their information had been obtained via Elance.)
From the time it became clear that user data had been accessed improperly, ProZ.com's staff made it their top priority to address this incident. The following steps were taken:
ProZ.com staff members consider it the responsibility of the site to do everything within reason to have the private content that was improperly accessed removed from the web. To this end, as a first step a request for removal was sent to those operating outsourcingroom.com. There was no response and attempts to establish contact were not successful. A "cease and desist" letter and DMCA filings were then prepared. Legal options have been investigated but no action has yet been initiated. A report has been given to appropriate law enforcement bodies, ISPs hosting the site have been notified, and other steps have been taken. Unfortunately, there is no guarantee that any of these efforts will be successful in the near term, if at all. However, the process will be pursued to the extent possible.
It is a goal of ProZ.com to meet and exceed the minimum requirements in all jurisdictions in which the site operates. Following the incident, ProZ.com began working towards certification according to the U.S.-E.U. Safe Harbor Framework guidelines for handling private data, earning the certification in early 2010. Beyond that, privacy will continue to be an emphasis among the site team. Training in data privacy has always been a part of ProZ.com employee training; this training will be repeated and expanded upon. In addition, further controls will be given to members to reduce privacy related risks. For example, users will be provided with options to remove in batches data that no longer has any value. (Old quotes, etc.)
The breach was not noticed until reports of spam began to be received. At that time, information was shared in a forum thread as it was obtained, and the breach was announced in that thread hours after it had been confirmed (and within a few days of the start of the investigation).
As for follow-on steps, including sending a general notification, it was advisable for reasons of security (and in the interest of protecting user data that had not been accessed) to take certain technical precautions before calling additional attention to the matter.
There is no question that those affected deserved to be informed much sooner, and we regret that it has taken two weeks for the necessary steps to have been taken, even as staff worked overtime and through the weekends to carry out the tasks. (We admire the ability of Elance to take measures similar to those taken by us in much less time.) We have resolved to become much better equipped to respond rapidly to challenges like this in the future.
We can not advise for or against accessing outsourcingroom.com or interacting with those operating it. Exercise caution when entering any information into the site. (One member described the method she used to remove a profile from the site in a forum post.)
If your name is listed on the site, the odds are that your email address has already been obtained. (In other words, you would not be giving new data, but rather confirming data that they already have.)
It was not you, it was someone else. There has been no evidence to suggest that access was gained to user accounts, in other words, we do not believe that anyone logged in as anyone else. Rather, direct access was gained to the aforementioned data in the profiles.
Please ask via ProZ.com's online support system. The support team is standing by to answer questions related to this incident. As questions come in, they are added with their answers on this page.
The thread that existed on this topic contained some incorrect speculation that led to undue alarm and inconvenience for some members. The decision was made to post the facts of this incident in one "official" page, and to field any unanswered questions via the support channel, updating the page as necessary to ensure that all questions are answered efficiently and thoroughly. Your cooperation in this respect will be appreciated.