Bodis wrote on its blog about a security incident that happened last week:
Our team has detected suspicious activity on the Bodis.com site that began on or about Tues 07/12 @ 16:00 UTC and lasted through the early hours of Wed 07/13.
Summary of the Event
Our team has observed an attempt to gain access to user accounts on the Bodis system using an automated login script. The intruder has attempted to gain access to various accounts using predefined email addresses and password combinations, of which the overwhelming majority failed to work. Most users have received a Failed Login email notification as a result of these failed login attempts.
However, it seems that the intruder was able to access several accounts. In the instances where the intruder was able to access accounts, we opted to disable account access several hours later and notified those users to reset their password, check their payout settings, as well as any other personal information.
Currently, our team does not believe our network has been compromised and we are quite confident that the attacker has gained a list of email addresses and passwords from an external database not associated with Bodis; potentially from a breach elsewhere within the domain industry. It should be noted that the attacker has also attempted to login using email addresses that do not even exist on our system. Our passwords are hashed with a strong hashing algorithm, and have always been since Bodis’ inception. Bodis has never stored passwords in plain text.
We have always and will always take security seriously. We are taking the following steps to protect you:
- We’ve added a CAPTCHA to the login page to slow down any scripted login/attack attempts.
- We’re moving to dual authentication as a requirement for all accounts. By default, all accounts will be required to confirm their login via email if the device or IP is not trusted. We expect this to be live in the immediate future.
- Bodis already supports 2FA optionally. We highly recommend you enable 2FA on your account if you have not done so already.
We also highly recommend you use a password that is long, complex, and not re-used on any other sites.
For any questions or concerns, please contact our support team at firstname.lastname@example.org