In addition to robust security policies and practices actively maintained by Tidepool’s Security Team, Tidepool runs a Responsible Disclosure Program that is designed to provide a safe and responsible path for security researchers to report security bugs to Tidepool that represent risk to the confidentiality, integrity and availability of our services, software, users, employees, or their data.
Bug hunters that agree to our terms may submit security-related bugs related to Tidepool services and software for bounty consideration.Our Responsible Disclosure Program is outlined in Tidepool’s Terms of Use.
Tidepool user credentials had been discovered in an online database composed of compromised web credentials (user emails, passwords, and account profile URL) that had been acquired via spyware, malware, or network security compromise.
The security researcher let us know about the exposed credentials on a system known as phonebook.cz. The repository of leaked credentials also included other systems.
No. Tidepool has performed an extensive investigation. There is no evidence that our systems were breached.If Tidepool’s systems weren’t breached, then how did the usernames and passwords for these users get exposed?
It’s likely that each of these users was subject to a vulnerability on their personal systems. This could have been through a virus on their personal systems, or a malicious application or browser plugin that intercepted local network traffic or keystrokes.
The credentials of 77 Tidepool users were identified in the online repository, representing 0.01% of our users.
After investigating and validating the security report, impacted users were notified by email of the need for Tidepool to perform a forced password reset on their accounts.
Tidepool believes in radical transparency. We wanted to share with our community this opportunity to review their personal online security practices.
Tidepool uses industry standard mechanisms for storing and protecting user credentials. All credentials are stored in an encrypted database as a secure hash, which is then “salted” to ensure only Tidepool applications can decrypt the data.
All application traffic and data is protected using strong cryptography (256-bit AES) which ensures that application traffic cannot be intercepted and decoded.
If a local system or trusted network is compromised; or a piece of software like a “bad’ browser plugin is given permission to inspect traffic, it is always possible to capture data.
Here are some of the things we do here at Tidepool:
1. Use a password manager (we use 1Password at Tidepool).
2. Use a credible anti-virus program (we use BitDefender at Tidepool).
3. Patch your devices and software automatically.
4. Enable 2-factor authentication for all services that provide it.
5. If an email or text message looks suspicious, or requesting information be delivered to an unfamiliar source, do not click the link.
You also may wish to look for evidence of compromised user credentials using a password manager (for example, the Watchtower function of 1Password), or using a trusted web site like https://haveibeenpwned.com/.
There are a lot of new and creative ways for bad actors to get a hold of private information. Some Tidepool employees have even received an email from someone trying to impersonate our CEO. Emails from Tidepool will only come from an address with the domain @tidepool.org - like the one you may have received about resetting your password and we will continue to do our part in trying to keep the internet a safer place.
We'll keep you updated with all the need to know news and announcements for Tidepool and Tidepool Loop
Donate today to support Tidepool's mission to improve the lives of People with Diabetes through affordable, accessible and interoperable technologies
Want to get the latest news and updates about Tidepool and Tidepool Loop? We promise to keep it interesting in your inbox.
