And I mean every one.
We are investigating…
Access control was disabled at 2017-03-23 15:14:00 and re-enabled at 2017-03-23 16:04:29 UTC. We have identified the root cause of the issue and will have more details forthcoming.
The issue that caused this and bug that allowed it to be turned off have been corrected. For users that had any credentials stored with us for cloud providers we also sent out this email:
Dear Rancher Sandbox user,
This email is being sent to you because of a security incident which was discovered earlier today. The incident resulted in unauthenticated admin access to Rancher Sandbox (try.rancher.com) for a period of 50 minutes. The site has since been patched and secured to prevent this from occurring again in the future.
Since the site relies on your GitHub account for authentication and we do not store any other personal information locally, we are confident the account you used to log into the site was not compromised. After going through our audit logs, which track every API request, we are also confident that there were no malicious activities during that window of time. However, a small set of users, including yourself, added hosts through the UI via a cloud provider (i.e. AWS, DigitalOcean, etc.). To be safe, we therefore recommend you immediately invalidate the keys/tokens you used to add the hosts to your environment. We also recommend you log into your cloud provider to ensure no suspicious activities were executed through your API keys/token.
We are taking all necessary steps to prevent a similar incident from happening in the future. We apologize for any inconvenience this may have caused. If you have any further questions or concerns, please email us at security@rancher.com.
-Rancher Labs