On May 6 info-beamer observed fraudulent logins into six accounts. Two of those were in active use and had at least one active device. A video file was uploaded and assigned to devices in one of those accounts.
A thorough investigation does not indicate any security problem at info-beamer.com itself. Instead the account information consisting of email address and password was very likely stolen from compromised customer machines. We have communicated with other companies in the signage business and they confirm similar incidents. One way this can happen is if a user accidentally installed malware (a âpassword stealerâ) on their machine or is using a browser extension that unbeknownst to them gathers account information. Such information is then often shared in underground forums where it can be traded.
As a precaution all accounts with access to more than a few devices got added the âEmail confirmationâ authentication method to their account. When logging in, this will send an email with a code that needs to be entered during the login flow. This prevents login with just email and password as a successful login now also requires access to the email account itself.
If youâre one of those users that now has to use this login flow, consider upgrading to a more secure method: On your account page, use the â2FAâ (two factor authentication) section to add at least one of the supported methods: The strongest one is hardware devices like a YubiKey. Alternatively use TOTP, which requires you to install an app that regenerates a 6-digit code every 30 seconds that youâll need to enter during login. Finally there are backup codes that each allow you to login a limited number of times in case you lost access to other methods. The recommendation is to add at least two of those methods, so youâre not immediately locked out of your account if you use one of them, and finally delete the âEmail confirmationâ method again.
FAQ
Is my account safe?
If you properly manage the security of the machine you use to log in to info-beamer: Yes. If youâre unknowingly installed malware, your password to info-beamer and other services might be available to purchase by bad actors. You can make this a lot harder by using any of the two factor authentication methods which info-beamer provides: Use the â2FAâ (two factor authentication) section on your account page for that.
Weâve now rolled out additional security measures that compare a login attempt with earlier logins and enforce two factor authentication in this case. If no explicit second factor is configured, the âEmail confirmationâ method is used in this case.
I canât access my email account
Get in contact with support. Having access to the account youâve signed up with is a requirement for using the service. You should work on fixing this. If you need to change your account email, also get in contact.
I donât want the email confirmation
You need to log in at least once. Then use â Disable email confirmation on suspicious login attemptâ option on your account page. This is NOT recommended and might be ignored in some cases. Instead use the two factor authentication feature offered by info-beamer by clicking on the Set up two-factor authentication⌠button. If you have at least one of them added, it will be used instead of the email confirmation.
What can I do to improve the security of my account?
In addition to using two factor authentication you can also use the permission system. If you share access to your account you can apply restrictions on what invited users can do in your account. The permission system is pretty flexible so you can for example restrict asset uploads to office hours or restrict access to a trusted IP range.
Is info-beamer itself safe?
Yes. There is no indication that anything was compromised on info-beamer.comâs servers.
Feedback
If you have any additional questions or need help securing your account, donât hesitate to get in contact.