Just heads up for everyone, their account is hacked and posting about crypto, don’t fall for it.
Seems to be a targeted attack, since the website they are posting is super similar to fly, and was only done on non-working hours
That being said, I would love to know if anything else in fly was breached so that we can take the necessary precautions.
Also hoping it’s a limited attack, especially for all of us who will have to answer to CEOs about our decision to use fly after this.
We know, we knew within 45 seconds of it happening, we know exactly how it happened, the impact is limited exclusively to this Twitter account, we’ll say more when we’re done working with X.com.
Best of luck!
Thank you. Believe me, I am very much looking forward to telling the story of what happened here, but I can’t until this is 100% certified buttoned up by Matt Braun and our security team. (Again: this is exclusively a Twitter thing; none of our actual assets were ever put at risk here, nor could they have been in this specific kind of dumb incident.)
glad to hear it’s limited. best of luck!
We’re all buttoned up, for those concerned about our ongoing BrAnD iNtEgRiTy. It was a well-executed targeted phishing attack. Virtually everything at Fly.io is behind phishing-proof MFA SSO… except Twitter, which is an ancient legacy shared account for us. We’ll write more later.
You do realize the position you are in and how this comment looks right?
Man that blog post you posted on this was terrible.
It was basically it’s not our fault we got phished. But if you fell for the crypto scam that was posted you’re a complete idiot. So tone deaf, definitely a cause to reflect on current and future usage of Fly.
I’m curious how you would have written it. The blog literally blamed it on Kurt (also as a jest) so I don’t understand the “it’s not our fault” interpretation.
Are you serious right now?
You say ”it was a pretty good phishing attack” combined with the X post being ”a not-very-plausible crypto scam”
Actually no, this phish was quite obbious, there’s a screenshot of the email. Even without looking at the sender address or the link URL, everything about how it looks and reads feels off. The whole claim of “simply removing the content does not help your case. if you decide not to address the issue your page may be suspended” is very odd, unless its a phish trying to pressure you into clicking though and entering your credentials.
The fact the password manager didn’t autofill also should have been a red flag once you click. But apparently you never took protecting against phishing seriously, you just assumed oh the 2FA will block it, until it didn’t. Real security works in layers, not just oh I think everything has phishing resistant 2FA so we don’t have to worry about anything elese.
Here’s the thing, mistakes happen, things slip though the cracks. And yes the crypto scam was obvious, but so was this phish, but it works, because nobody is perfect. Writing a blog post that was so as you put it flippant when just like Kurt fell for the phish someone could have fallen for the crypto scam and lost actual money is quite bizarre. And that’s the thing to you that was just “15+ hours of brand damage, and extra security engineering cycles burnt on watchful waiting.”
And while you claim that “Our users weren’t under attack” they were, or at least any crypto they held was. And unlike the phishing email the crypto scam came from what should have been a trustworthy source.
I sincerely hope you were right in your assumption nobody fell for the crypto scam. But man if someone did you really added insult to injury with that post.
Maybe that’s the problem. I’m not taking this seriously… should I? Or are you taking it too seriously when it’s not that big of a deal? Iono maybe a mix of both.
That is the problem. Some of your users may have actually suffered financial harm and your just making jokes about it like its no big deal.
So I guess we know where your priorities lie.
Just to clarify, I’m not associated with Fly at all. Never claimed, suggested, or otherwise. I’m not sure where you got that impression.
Apologies, the way you came to fly’s defense on this I thought maybe you were a fly employee posting from a personal (non-official) account.
Did I really go and defend Fly (or in this case Kurt’s oof?) I don’t think so. I’m just trying to ask if you’re overreacting. If there was actual hack into the Fly infra, then it would be a different story… anyways… have a good weekend.
Just because they didn’t get into Fly infra doesn’t mean no damage was done. The problem is the damage was to anyone who fell for the crypto scam not Fly so they seemingly don’t care because its not their problem. And yeah that attitude is kinda problematic.
The problem isn’t that someone got in to their X account, the problem is their tone deaf response.
I don’t think that’s substantiated.
It’s a response from one person, and it wasn’t mocking victims of scams; I thought it was an amused commentary on the pompousness of corporate ideology.
For what it’s worth, I find Fly refreshing. I think they’re a start-up, and everyone is empowered to make a difference, everyone can speak their mind, everyone can be their authentic selves. I think BetterStack have a similar culture. Maybe Fly’ll become a big, boring corporation eventually, and then everyone will be minding their manners, and self-censoring, lest someone searching for offence finds a reason to double the fury they came in with. But hopefully they’re not there yet!
I also do not work for Fly.
Have you read that blog post? They come out and basically say as much.
They say ”Had this been an impactful attack…” clearly implying it wasn’t, and sure if they only care about the impact to themselves, ignoring any victims of the underlying fraud, they’re right - it wasn’t that impactful…to them.
”The cool kids haven’t done phishing simulation training in years.” They clearly haven’t but any serious organization does train users to identify phishing, not because it will stop all phishing (it won’t) but because knowledge is one tool in a layered security approach.
Oh and what was that about them not mocking scam victims again?
”If you were inclined to take us up on an “airdrop” to “claim a share” of the “token” powering Fly.io, the site is still up.” (Link removed by me)
One need not work for a giant soulesss corporation to know this is just poor taste. I work for a startup thats even smaller than Fly, I would never post something even on a personal channel because its just so gross. Like have some compassion for the real victims, because we all know already the real victim wasn’t Fly it was anyone who clicked on that link posted to their X page.
That said I think this is the sign to get out. I now get to work though the weekend to plan out migration off Fly.
Each to their own, I guess. I can’t prove you’re over-reacting any more than you can prove that you’re not. But I fear you’ll be working a lot of weekends, planning lots of migrations as you become furious at each successive provider.
Much of the world suffers a culture of outrage at the moment, and I wonder if it is not healthy. (For what it is worth, I do not claim to be entirely immune to it).
