We’ve completed our investigation and wanted to share an update. Based on a thorough review of the unauthorized party’s account activity, we can see their access to email addresses was limited. Here’s a recap:
Only email addresses were viewed and contacted by the unauthorized third party — no other personal information was accessed.
6,090 iNaturalist community members received a fraudulent email. We directly followed up with these individuals via email afterward to let them know.
Our investigation showed that the unauthorized third party may have viewed up to 933 additional email addresses.
We immediately improved security for our email system, and will continue to improve security measures across iNaturalist.
Thank you for your patience and for the thoughtful responses in this thread. We’re using this as an opportunity to assess and strengthen security practices across iNaturalist.
Original message from February 28:
We want to let you know that a security incident affected our email system in the last 24 hours. An unauthorized party briefly obtained access to the third-party service we use to send emails.
WHAT HAPPENED
The unauthorized party sent a single fraudulent email to about 6,100 iNaturalist users. The fraudulent email was sent from noreply[at]inaturalist[dot]org with the subject “New Ledger Live Update.” If you were one of the people who received this email, please delete it immediately and do not click any links.
While the unauthorized party had access to our account, they may have had the opportunity to view an unknown number of email addresses associated with iNaturalist accounts. No personal information other than email addresses was exposed.
WHAT WE’RE DOING
We immediately updated our security systems, and this unauthorized party no longer has the ability to send emails.
We’re reviewing our overall security practices to ensure this does not happen again.
Our team is investigating to learn as much as we can about what exactly this unauthorized party might have done while they had brief access to our email system.
We’re very sorry this happened and are committed to strengthening our systems and communicating with you as we learn more.
Carrie: thanks to you and the rest of the staff for this quick and honest response to a breach - many organizations would have spent a long time debating how to cover their [choose your anatomic part] instead of just admitting to the problem.
I was one of the recipients of the message, and at first assumed they had just managed to spoof the iNat address, but looking at the headers it appeared to actually originate within iNaturalist, which had me a bit worried about a security problem. Glad you figured it out and fixed it quickly.
PS: I did click on the link (from within a sandboxed browser) and it just went to a non-existent iNat page, returning a “not found” error. Not sure what they were hoping to achieve with that.
Thanks for the update and the quick action on this! It is sad to see that no one is safe these days from phising attacks!
As part of reviewing security practices, it would be great if 2-step verification for iNat could also be brought in the picture again. I know this was discussed before and was not considered to be a priority at the time… hoever times have changed since 2019…
A couple of years ago I was victim of hacking myself. Someone gained access to my primary email and started asking for password resets on many of the sites I was using. Luckily iNat was not on the list, so no harm was done, but I hate to think what would happen if someone would gain access to my iNat account and simply delete it… I have spent a lot of time adding observations and identifications, so a big part of my life would be lost for ever!
In the meantime I have implemented 2-step verification for all sites I am using on a regular basis, even those which do not contain sensitive / financial information.
Unfortunately iNat is one of the few sites left which don’t support 2-step verification, and it is by far the one I am using the most.
It would be great to see this added to iNat in a reasonable timeframe.
Thanks all for your comments here — we just shared a brief update in the original post above.
We’ll continue to take steps to improve and strengthen security across our team and the platform. The team and I really appreciate everyone’s feedback and helpful comments!
Good to hear, that the access was limited, allthough the limit “0” would have been better. Things could happen, and you could learn and do it better in the future.
For me, some important information in this “learning process” is missing:
HOW could they access to your system? Was it a gap in any outdated software? Or in the IT infrastrucutre used? Did someone of the team did a mistake while programming something? Click a link he should’nt do?
And what actions have you concreately taken to prevent it in the future? “to improve security” is quite a wide range (or at least what people want to hear in such cases)
To see some more detail of your assessment would be helpfull for me as a user of iNat, to think about my confidence in iNat for future usage.