Elance Hit By Security Breach

We’ve just gotten word that development-outsourcing site Elance has suffered a security breach, compromising some user information that included names, addresses, phone numbers, and location (no financial information was taken).

Multiple users have received the following letter:

It has recently come to our attention that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information. This incident did not involve any credit card, bank account, social security or tax ID numbers.

We have remedied the cause of the breach, and are working with appropriate authorities. In the meantime, please take extra precautions in protecting your Elance account. For example, do not provide your login information on any site that is not http://www.elance.com, and NEVER give out passwords by email, over the telephone or on websites that are not the Elance site.

We sincerely regret any inconvenience or disruption this may cause.

For more details and ongoing information about this, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html

Michael Culver
Vice President

Elance’s security alert site reveals that the data was taken by hackers who discovered a security hole on the site:

The hackers discovered a security hole on an unprotected page that enabled them to access a data table that contained contact information including name, email address, telephone number, city location, and username, and that contained protected versions of user passwords, in an unreadable format called a one-way hash. Their attack did not access personal financial information such as credit card, bank account, social security or tax ID numbers.

In a bizarre twist Elance’s security site says that some of the stolen user data is now appearing on OutsourcingRoom.com, a competing service. Elance writes that it is working to have the data removed.

This is only the latest in a recent string of security breaches on major web services. It’s obviously nearly impossible to guard against every kind of online threat, but if we’re going to become comfortable having our entire computing experience in the cloud, things need to change.