A Note From Our Chief Security Officer
Last night we were made aware of a security issue with regards to the manner in which we handle the passing of encrypted passwords within a specific domain. It was brought to our attention that an Egnyte user accessing the “users and groups” management page of their particular domain could use a packet sniffer to see the MD5 encrypted passwords of the other users within their domain. The passwords that are passed belong only to that domain, no other domains are ever accessed, and the passwords are in fact encrypted.In accordance with the January 2009 US Cert vulnerability note VU#836068, we moved away from using the MD5 hashing algorithm, and moved our entire encryption scheme to the Bcrypt standard. Unbeknownst to us, a small piece of legacy code remained, and despite use of a leading third party security risk assessment service the code survived. Once we were made aware, we responded immediately, and have removed the code, and installed a fix.We would like to stress, at no time were unencrypted passwords made visible to anyone, and at no time were the encrypted passwords of one domain made visible to another. We take every possible security breach seriously and we remain ever vigilant in order to provide the best, most secure products and services available in the marketplace. If you would like to learn more about our security, please download our security whitepaper.Sincerely,Kris LahiriChief Security Officer