This post is quoted from the original published here
On Sep. 1st the LOPSA Board was notified that on Aug. 26th an administrator's account was used to gain unauthorized access to our member management system. As soon as the vendor detected the suspicious activity, they deactivated the compromised credentials, therefore stopping further access. The credentials were used to initiate a phishing attack, sending approximately 13,000 emails posing as Netflix to non-LOPSA member recipients. At this time we believe this to be the extent of the malicious activity, and we are working with our vendor to determine the full scope. With the credentials compromised it's possible that the attacker had access to all information on each member's profile including:
- Phone Number
- Job Title
- Membership Renewal/Status History
- T-shirt Size
The attacker did not have access to password hashes or payment information.
We are currently working with the vendor to understand if any of our members' information was accessed and/or exported in any way.
Going forward we are looking into options to tighten security. We apologize for the inconvenience this will cause.
If you have any questions, please reach out at firstname.lastname@example.org
- Your LOPSA Board