A misconfigured couchdb replica of anyfile had public endpoints.
The incident
A replica of couchdb data was accessible through REST endpoints on an exposed IP address. Due to misconfiguration of the base couchdb image, the replica did not require authentication for read or write access.
There was no downtime but the internal data of anyfile was exposed to anyone with access to that database and ip address.
Hackers also added users to the couchdb _users table, which would have allowed them to continue accessing the replica after authentication was enforced.
These additional users have been purged.
Security Policy Changes
Violations of security are taken very seriously. We are locking down access to whitelisted ip addresses for all non-public facing servers. We are also looking into bug bounties to encourage whitehat disclosures.
Closing thoughts
Bugs are going to happen at any company and doubly-so at fast moving startups. They are not fun when they happen but they must be addressed transparently.
