On June 1st, Datto became aware as the result of an internal alert that a phishing email had been sent from the email address of a Datto employee in our finance department. Datto immediately declared an incident, engaged our internal incident response process, formed a response team and conducted a fulsome investigation of the incident.
The information that follows is an updated version of a post that was provided on the Partner Forum to Datto partners on June 1st. The intent of sharing this information is to provide further information as to our response and inform you of the comprehensive steps that we took to assess the scope of the incident and measures to contain and remediate it.
Upon an analysis of the logs, we found that this incident was due to the employee’s email login credentials being used in an unauthorized manner by an unknown actor to access the employee’s corporate Gmail account. The actor, leveraging the compromised credential, remotely logged into Gmail and sent the phishing message. The message was targeted at email addresses in the affected employees frequently used contacts list.
The objective of the phish was to lure recipients into opening the link in the email, which lead to a fake file sharing website (i.e., Google Drive), and get the recipient to attempt to login to the website. The site would then harvest the login credentials for later reuse.
The email contained the following indicators:
From: avolante@datto.com
Subject: "Fwd: Please see attached document"
Link: [hxxps://]annovativeinc(dot)net/home
Datto took the following immediate steps to address this event:
Immediately suspended the employee’s email account
Reviewed all account activity
Changed the credentials for the employee’s email account
Enabled two factor authentication (2FA) for the affected employee’s email account
Contacted the registrant of the domain used in the email, reported the abuse and requested a takedown to bring the fraudulent site offline
We are working with the registrars to provide the required information so that they can take down the site
Upon review of the logs, Datto has determined that:
no email forwarding of new messages was configured
no message filters were created
no additional emails were sent or received other than the one in question
no access tokens were added
no secondary access to the affected account via other protocols was set up
Further assessment activities included assessment of the other key systems to which the employee had access. We found that the compromised credential was only in use for Gmail and was not in use on any other Datto systems or third party systems.
Regardless of that fact, we felt it appropriate to exercise additional diligence. The response team audited the available access logs of both Datto systems and third party systems looking for any suspicious activity. We found that only legitimate access had occurred for these other systems. As an extra precaution, we've had the user change their credentials on other key systems. This was done in addition to enabling two factor authentication on the account.
The list of key systems confirmed as not being accessed and affected are as follows:
Datto's Single-Sign on System (SSO)
Datto's Portals including Partners
Datto’s Corporate VPN
Internal Partner Administration Portals
Internal Finance Systems
Datto is also taking additional long term steps to prevent the future occurrence of such events, including enabling two factor authentication (2FA) for all users of its email systems. This is rolling out to Datto's finance team immediately and to the rest of the company in the next several weeks.
Datto leverages a third party for processing credit card payments. As a result, no payment card data is accessible through the Datto finance payment processing systems. Again, the finance systems were confirmed unaffected by this event, but we felt it important to reiterate to you that we do not store your credit card information in our finance systems.
We can not rule out the possibility that there may have been sensitive information contained within the compromised email account. We are actively reviewing the account. If we identify any possibility of incidental access we will notify the affected partners directly.
We recommend that anyone who received the email take the following actions:
If you logged into the fake file sharing site, then
immediately notify your IT admins and security team.
change the login credentials input into the phishing site everywhere they were used.
report the phishing email to your IT admins and security team and provide them a copy of this notification.
Your IT admins and security teams may elect to:
review email logs and to see who received the email using the indicators above.
block access to the domain contained in the email (see above indicators).
review web filtering logs for any access of the phishing website prior to the block.
identify employees that did engage with the website and change their login credentials if they attempted to log in.
Datto takes very seriously any event that impacts the security of us and our partners. We have taken immediate corrective action and are implementing long term mitigations to prevent any future occurrences of this kind. We will also further review this incident via a formal debrief to identify any additional control improvements.
Ryan Weeks
Chief Information Security Officer