Cyber Incident Victim: LucidLink
Date:
Apr 2024
Location:
United States of America
Summary
A malicious attack targeted LucidLink's core metadata service, causing widespread filespace access disruption. The metadata infrastructure was compromised, necessitating restoration from backups taken every six hours, with potential minor data loss limited to work conducted between the last backup and the attack. Recovery involved rebuilding metadata instances individually, initially requiring manual intervention for some filespaces before transitioning to automated batch processing. While most customers regained access through rolling restorations, a subset required additional support due to failed initializations. Users were advised to manually reconnect via the application and locally save any files modified during the outage. The incident did not compromise stored file data or leak personal or corporate information. Post-restoration communications shifted to individual support tickets for remaining cases, with a commitment to publish a detailed incident report.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 29, 2024, at 4:20pm UTC, LucidLink identified a system outage affecting customer access to filespaces. Initial investigations confirmed by 4:15am UTC on April 30 that a malicious attack targeted the company's core metadata service infrastructure. The attack occurred at 12:55 UTC on April 29, damaging the metadata service for individual filespaces while leaving file data intact. LucidLink confirmed no pre-outage file data loss from backups and no leakage of personal or corporate information, though work conducted between the last backup (occurring every six hours, with worst-case data loss window from 6:55 UTC to 12:55 UTC) and service disruption might be unrecoverable. The company activated backup systems unaffected by the attack, initiating a two-phase restoration process: rebuilding metadata infrastructure and restoring each filespace's metadata instance from backups. Initial estimates projected 6-8 hours for full restoration starting from 12:15pm UTC on April 30, with infrastructure rebuilding prioritized before individual filespace recovery.
Restoration efforts encountered operational complexities requiring phased deployment. By 3:30pm UTC April 30, LucidLink manually reconnected unaffected metadata instances to the discovery service, while metadata restoration for affected filespaces commenced with an updated 4-6 hour timeline. Technical challenges emerged as approximately 20% of filespaces required manual intervention, slowing initial progress until batch processing scalability improvements at 6:30pm UTC. Customers experienced "AuthProxy: Call to the LucidLink filespaces service timed out" errors during recovery, indicating partial connectivity restoration. The company advised users to manually reconnect via the LucidLink App and recommended local saving of files modified during the outage. By 9:00pm UTC, restoration velocity increased with 20% completion, projecting full restoration within 6-8 hours through rolling batches. Final large-scale batch processing initiated at 00:00 UTC on May 1, estimated at 4 hours, successfully restoring most filespaces by 05:15am UTC May 1. A small subset requiring manual intervention remained, with LucidLink transitioning communications to individual support tickets for unresolved cases while committing to future incident reporting for organizational review.