Skip to content

Elance Security Failure (Again)

August 28, 2009
tags: ,

AntivirusI had planned to blog about something else today but, this morning, I received several emails from Elance projects. Not unusual, you might say. Indeed, but there was something strange about these emails:

I’m not working on the projects.

Yes, that’s right: I have received private messages sent from within existing, ongoing projects but I’m not a part of the team. I have no idea why their system sent me copies.

Fortunately for the individuals involved, none of their personal information was included (and I’m an honest chap, anyway, so wouldn’t have used it for the purpose of advancing my plans for world domination).

Obviously, I’ve contacted the Elance support people and told them what’s going on. I’ll keep you updated on anything I hear.

In the meantime, be careful what you type on your workroom message boards.

Update (28 Aug, 11:11 GMT) – I’m now being flooded with private messages. Thankfully, those that say they have attachments do not. It appears only message text is being misdirected, rather than (potentially very confidential) documents. No guarantees, though.

Update (28 Aug 20:35 GMT) – Elance have sorted their problem out. Apparently one of their engineers changed the daily update script and caused the breach.

Quite how someone manages to make a script change with such a massive, glaring error in it and it isn’t spotted before going into production is beyond me. I mean, it’s not like we’re talking about a tiny thing here. This is sending confidential information to people not involved in the jobs. The error is huge.

It’s also a glaring error: how is the fact of sending emails from a workroom to people not in that workroom overlooked? How does that get into the production environment? How many people were affected? How many will be filing law suits over disclosed information? I guess we’ll have to wait and see.

Here’s the text of the email I received:

Thank you for your email.

Here is what we know so far about the Daily Summary emails that many have reported receiving earlier today, Friday, August 28.

Once a day, Elance sends an email (to those who elect to receive them) that summarizes the previous 5 messages that have occurred inside the digital Workrooms that facilitate collaboration between service providers and their clients. Such communications are typically messages that occur either in real-time between parties or are left in a bulletin board format.

Yesterday, one of our engineers made a change to the script that initiates this nightly process. The changes were tested, but the errors were not identified. As a result, last night’s batch of such Daily Summary emails were initiated at 1:30am Pacific time, and unfortunately an unknown number were erroneously sent to Elance members that were neither the provider nor the client. The error was discovered at 2:30am and the process was halted by 2:50am.

We apologize for this error and any inconvenience that this issue might have caused. We will be reaching out directly to all parties affected with additional information shortly.

Additionally, for ongoing updates to the situation, please refer to this page: http://www.elance.com/p/trust/daily_email_update.html.

Best regards,
Steve Holm
Director, Customer Relations

from → Freelance Sites

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.