“Our Security Team recently discovered and blocked suspicious activity on Cerberus servers,” the company said in an e-mail to affected users. “The investigation found no evidence that your account was in any way accessed or compromised. However, the attacker(s) were able to gain access to user names and encrypted passwords for a subset of our users. No other personal data (e-mails, device information, etc.), has been accessed.”
The company says a total of three accounts were accessed by the attacker or attackers before the company reset the passwords. At this point, the company says, the stolen data doesn’t appear to have been released publicly.
While the main database wasn’t accessed, the attacker or attackers were able to access a legacy log file that contained user names and SHA-1 hashes of passwords. The company has since deleted the log file and stopped the legacy logging procedure.
All affected users are being asked to create a new password on the company’s Web site, and to check their logs to ensure that no unauthorized commands had been sent to their device.
“We have already contacted a security firm and in the next weeks we will do a thorough code audit and security assessment of our infrastructure and procedures,” the company stated in the notification e-mail. “We are a small team (3 people) and are trying our best to provide a secure service that you can trust to protect your devices and help you recover them if they are lost or stolen.”