Planet Rational’s Amazon Web Services credentials have been inadvertently exposed, potentially leaking Webscript user data. We've sent the following email to all of our customers:
Planet Rational's Amazon Web Services credentials have been inadvertently exposed, potentially leaking Webscript user data. (Planet Rational is the company behind Webscript.) While we don't know that any data was accessed, we do know that it was possible.
What we recommend
We recommend that any credentials used in scripts (e.g., Twilio secret keys or email passwords) should be treated as though they have been compromised.
We also recommend that all users change their passwords. To change your password, log in to Webscript, visit https://www.webscript.io/settings, and click the "change password" link.
(Note that Webscript only stores password hashes, generated with 12 iterations of bcrypt and a random salt.)
We made a human error despite a review process meant to catch such errors. One of the Webscript examples shows how to use Amazon's S3 service from Webscript. In building that script, we made use of our Amazon credentials, and we inadvertently published those credentials in the example code. These credentials have already been changed, but there was a window in which the credentials were visible and active.
In the future, we will never use Planet Rational's AWS credentials in any examples, and we are adopting a more rigorous checklist-based process to make sure we don't leak any secrets in code examples.
We are very sorry for this. We take security seriously but made a mistake.
In addition to this email, we will be writing a post on the Webscript blog (http://blog.webscript.io) about what happened.
If you have any questions or concerns, please simply reply to this email.
Steve Marx and Todd Proebsting (Planet Rational founders)
We take security seriously. We can be reached at any time at firstname.lastname@example.org.