Early this morning we were informed by our database hosting provider that our database had been accessed by an intruder, through a security flaw in our database provider’s infrastructure. The intruder accessed several dozen of our users’ names, email addresses, and encrypted passwords, as well as what IP addresses those users registered and most recently logged in from. We have directly notified the affected users at the email addresses they registered with at Quantopian.
What this means:
- The intruder might send the affected users unsolicited email, and might include their name in the message in order to appear familiar with them.
- Passwords are securely encrypted in our database, and it is extraordinarily unlikely that the intruder will be able to decrypt them. However, to be cautious, we've recommended that the affected users change their passwords on our site and on any other site where they used the same password.
- User algorithms were not compromised. The intruder does not appear to have accessed any algorithms stored in our database. Even if he had, algorithms are securely encrypted.
- For users in our live trading pilot program, their Interactive Brokers usernames, account numbers, and passwords were not compromised.
This is a very difficult message for us to relay -- we would prefer that this never happen. The protection of our members’ intellectual property is one of our core promises, and we take it very seriously. We want our members to trust us with their intellectual property. We believe that the best way to earn your trust is by being transparent with you about Quantopian. We hope that we can continue to earn your trust, even when we are sharing unpleasant news.
The good news is that we had considered and prepared for this specific type of attack on our site. We had considered that our database might be illegally accessed in a security event, and we had protected ourselves and our users from many consequences of such an event. We’ve had the opportunity to carefully review our security plan and implementation this week, and we are satisfied that we are protecting our users and their property.
Of course, security work is never done. There are always more measures that can be taken. Among other things, we’ve decided to encrypt email addresses in our database to further limit the exposure to a database security issue. Our future plans continue to include using third-party vendors to provide our infrastructure, including database hosting. We evaluate the risks of each vendor we use, and we manage the security risks associated with using a third-party vendor. We are confident we can protect our users' property.
We encourage you to use common-sense methods to protect your own security.
- Never use the same password on more than one website (or, at least, not for websites with financial information).
- Use strong passwords that include capital letters, numbers, and/or symbols, and are not dictionary words or even similar to dictionary words.
- Change passwords regularly.
- Be alert and skeptical to phishing emails that attempt to get personal information or passwords, or send you to websites asking for personal information or passwords.
Additional technical details about the incident and our security precautions can be found below.
If you have any questions or concerns, please let us know. We always reply to email received at [email protected]. We monitor [email protected] for emails concerning our security. You are always welcome to reach me personally at [email protected].
CEO and Co-Founder
On October 29, MongoHQ notified their customers by email that a breach of MongoHQ’s security had occurred. They also posted their initial notification and updates to the web.
MongoHQ’s initial notification led us to believe that Quantopian’s databases were not compromised in the breach. Nevertheless, as a precautionary measure, we immediately began the risk mitigation procedures detailed below.
On November 1, we were notified by MongoHQ that our databases were accessed by the intruder. In particular, he viewed part of our user list, exposing email addresses, password hashes, and IP addresses of a small number of Quantopian’s users.
After MongoHQ’s initial notification, we conducted a full audit of database access credentials. We confirmed that no unauthorized credentials had been created; we deleted credentials that were no longer needed; and we changed the usernames and passwords of all others. We don’t believe that the intruder obtained any of our credentials, but any that he might have obtained are now useless.
We also reviewed the security precautions we already have in place for protecting our users’ data. These include:
- Quantopian site passwords are securely hashed with bcrypt with cost=10. The amount of computation necessary to derive the original password from a bcrypt hash is prohibitive, and we think it is unlikely that the intruder responsible for this incident will even bother to try. Nevertheless, as noted above, we do recommend that our users change their password at Quantopian and any other site where they used the same password.
- User algorithms (with the exception of those that are shared publicly in our forums) are AES-encrypted with a key that is not stored in our database. All available evidence suggests that the intruder did not even try to access user algorithms, but even if he had, he would have been unable to read them.
- Interactive Brokers usernames and account numbers are similarly encrypted (with one exception -- see below), so again, though we don’t believe the intruder tried to access them, even if he had, he would have been unsuccessful.
- We never store IB passwords in our database; when a user logs into IB through Quantopian, we hold the password in memory only for long enough to complete the login process.
As a result of this review, we have decided to make the following enhancements to our already strong security posture:
- We’re going to encrypt the email addresses in our database, so that even if an intruder manages to access our user list, he won’t be able to send our users spam or phishing emails.
- We identified one database (not accessed by the intruder) in which IB account numbers are being stored without encryption. Although the risk from exposing an IB account number without a username or password is extremely small, we are going to eliminate it entirely by replacing the IB account numbers with MD5 hashes.
Although we are obviously not happy that this incident occurred, our existing security precautions minimized its impact as they were intended to. We will continue to monitor the aftermath of this incident and respond appropriately to any new developments.