Basecamp Defends an Hour-Long Credential Stuffing Attack

Published on February 1, 2019
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Basecamp has successfully defended against a large-scale credential stuffing attack that took place on January 29 and lasted for about an hour. According to a relevant blog post announcement by the company’s CTO, only about a hundred of user accounts were compromised, out of the 3 million that are registered with the Chicago-based project management and team communication platform. From the detection of the logins surge, the IT security team of Basecamp counted approximately 30000 attempts to access accounts, originating from a wide range of IP addresses.

The initial response was to block the IPs that were associated with the attackers, and the second phase was to enable a CAPTCHA and bring an end to the incident. The 124 people that had their accounts breached by the stuffing attack were reset, and an email to inform them of the fact was circulated in the following day. As the CTO of Basecamp, David Heinemeier Hanson stated: “All of the unauthorized access was gained using the correct username and password for the account. It’s highly likely that these credentials were obtained from one of the big breaches, like those collected in combos like Collection #1, Anti Public, or Exploit.in. All the affected accounts showed as “owned” on haveibeenpwned.com.”

In the wake of the Collection #1 account leaks, there will be many stuffing attacks like this one. Only three days ago, we reported a similar attack that targeted DailyMotion and lasted for six days, while more platforms are bound to follow suit as the particular credentials collection compromised about 773 million email addresses and the corresponding passwords. That said, the only way to protect yourself from future stuffing attacks is to check your email on “haveibeenpwned.com”, figure out if you’re included in the latest data dumps, and reset your passwords immediately. Also, as always, we advise using a password manager that will let you easily manage many different passes, and enable two-factor authentication wherever that is offered.

Do you consider Basecamp to be a bright example of how IT ops teams should handle stuffing attacks? Let us know in the comments below, and help us share the word with more people on the danger of using a single password across many platforms, by sharing this story through our socials on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: