Cyber Incident Victim: PagerDuty

On July 9, 2015, PagerDuty detected an unauthorized intrusion into its systems after an attacker bypassed multiple layers of authentication to gain access to an administrative panel provided by one of the company’s infrastructure providers. The attacker leveraged this access to log into a replica of one of PagerDuty’s databases, compromising customer information including names, email addresses, hashed passwords, and public calendar feed URLs. The company contained the breach within hours of detection, terminating the attacker’s access and initiating immediate mitigation efforts. PagerDuty’s investigation confirmed the attacker accessed hashed passwords protected with both a salt and a pepper, though the pepper remained uncompromised, making password decryption computationally infeasible. Public calendar feed URLs, which provided read-only access to users’ on-call schedules, were also exposed but did not grant further system access.

PagerDuty publicly disclosed the incident on July 30, 2015, mandating a password reset for all customers effective August 3 and advising users to reset calendar feed URLs and revoke mobile device access linked to their accounts. The company enhanced its monitoring, detection capabilities, and system hardening measures following the breach. No evidence indicated misuse of the compromised data, but the incident impacted all customers, necessitating widespread credential updates. PagerDuty emphasized the layered security measures protecting passwords while acknowledging the exposure of limited personal information. The response focused on containment, transparency, and preventive infrastructure improvements to address the intrusion vector exploited through the third-party administrative panel.