Cyber Incident Victim: Basecamp
Date:
Jan 2019
Location:
United States of America
Summary
Basecamp successfully mitigated a credential stuffing attack targeting its platform, which lasted approximately one hour and involved around 30,000 login attempts from numerous IP addresses. The attack compromised approximately 100 user accounts out of a total user base of 3 million, with unauthorized access achieved using credentials likely sourced from prior large-scale breaches such as Collection #1. The company blocked suspicious IPs, implemented CAPTCHA defenses to halt the attack, and subsequently reset passwords and logged out affected users. All breached accounts had credentials previously exposed in third-party breaches, as verified through a public breach notification service.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 29, 2019, Basecamp detected a credential stuffing attack targeting its platform at 12:45 PM Central Time when its operations team observed a significant surge in login attempts. The attack persisted for approximately one hour, during which attackers made roughly 30,000 login attempts using a broad range of IP addresses. Basecamp’s security team responded by blocking the attacking IPs to slow the intrusion and ultimately deployed a CAPTCHA system to terminate the activity. The company confirmed that unauthorized actors successfully accessed approximately 124 user accounts out of its 3 million users by leveraging valid username-password combinations. Basecamp’s investigation concluded the credentials were likely sourced from prior large-scale breaches such as Collection #1, Anti Public, or Exploit.in, with all compromised accounts appearing as ‘owned’ on haveibeenpwned.com.
Following containment, Basecamp logged out all affected users, reset their passwords, and directly notified customers whose accounts were accessed. The incident underscored the risks posed by massive credential dumps like Collection #1—a 87.18 GB dataset containing 773 million unique email-password pairs—which were cheaply available and widely circulated. While no system vulnerabilities were exploited, the attack highlighted the persistent threat of credential reuse across services. Basecamp’s disclosure aligned with contemporaneous reports from other platforms like Dailymotion, which faced similar credential stuffing campaigns. The company’s response focused on mitigating unauthorized access and informing impacted users without broader service interruptions or data exfiltration beyond account logins.