On Friday (Nov-15-2013) morning, an intruder was able to gain enough access on our website to run some unauthorized code. The intruder did not access our databases; no user information, algorithms, backtest results, etc. were compromised. The intruder was able to see information about our system and infrastructure. This information could have been used to gain further access to our systems and data, but we have modified our security systems to prevent that.
When we identified the attack, we took down the website and shut down all access. We analyzed our logs of the incident, including logs maintained by separate vendors that we use. We are confident that we understand the extent of the attack and the attack vectors that were used. We will put up a more detailed, technical postmortem in a few days.
People regularly attempt to gain access to our servers. Some of the attacks are minor - people rattling the door to see if it’s locked. Other attackers are more serious and try increasingly sophisticated methods to get access. We log them all, and we respond with both automation and human intervention, and follow up as appropriate. This particular attack was noteworthy because the attacker actually got somewhere that he shouldn’t have been able to. Even though the attacker didn’t get any information of value, we view the breach as very serious and we have addressed the vulnerability the attacker exploited. We are working very hard to prevent any future incidents.
We view security as an ongoing concern - the work is never done. We anticipated that as we became more visible, we’d become a more tempting target to attackers. We mapped out plans to increase our security measures as our threat profile increased. In light of the attacks of the last few weeks, we have accelerated the implementation of additional security measures. That work is continuing at a high priority.
We’ve said this before, but it is very important and bears repeating: The protection of our members’ intellectual property is one of our core promises, and we take it very seriously. We want our members to trust us with their intellectual property. We believe that the best way to earn your trust is by being transparent with you about Quantopian. We hope that we can continue to earn your trust, even when we are sharing unpleasant news.
If you have any questions or concerns, please let us know. We always reply to email received at [email protected]. We monitor [email protected] for emails concerning our security. You are always welcome to reach me personally at [email protected].
CEO and Co-Founder