Update to Compromised Email Addresses Incident
After further investigating the compromised OpenSea email addresses incident, we have learned today that the email addresses from five other customers were also provided to the same external bad actor.
We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties, and provided these email addresses to the bad actor. This action was limited to this single employee.
Despite the many precautions taken to protect our customer data, the employee’s role enabled specific access to these email addresses. This employee has been terminated, all access has been revoked and we have reported this employee to law enforcement.
The protection of our customer’s data is our first priority and this employee’s actions let us all down. We have alerted the five other customers to this information and sincerely apologize to them.
We launched a comprehensive security review of our access and security policies to prevent an insider threat from happening again and have already made the following changes:
- Our intrusion detection system and immutable logging has been improved to provide more proactive notifications of data exfiltration.
- Access to production systems and data stores has been further restricted.
- All access and authorization keys for critical services were reviewed and rotated.
- Access to the data in customer’s accounts by Customer.io employees is now opt-in as a setting (and turned off by default). Customers can now grant Customer.io’s support team access to their account for a limited time and only if they choose to.
- If accessing a customer account, Customer.io staff can no longer export customer data.
- We’re refreshing and will be retraining all staff on our security policies.
We continue to review and audit our compliance policies and are committed to make further changes with high priority to ensure protection of customer data.
After consulting with our third party cyber investigations firm we have not found evidence of any other customers having had their email addresses compromised. We do not expect to learn any additional information since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job.