As you are aware, Tricentis Flood (“Flood”) recently notified our customers of a security incident that occurred on 20 June 2020. We are now providing an update on the status of this matter and our actions taken in response.

In the late evening of 20 June 2020 (UTC), automated systems detected a security incident involving Tricentis Flood systems. We took immediate action to contain the incident within 45 minutes of discovery and have since been carrying out further investigation and remediation measures.

Our investigation determined that on 20 June 2020, unauthorized actors gained access to Flood’s backend systems via an exploitation of a verified, commercial application called Waydev, on the GitHub marketplace. Upon learning of the unauthorized access, the Flood team immediately implemented containment procedures, including scrambling all user passwords to force a password reset and rotating all user API tokens used for programmatic access to Flood. The Flood team also replaced the entire production environment on the same day, including rotating all production secrets. Technical remediation continues around source code management, secrets management, and a custom storage solution configurable by customers. Moving forward, we will not trust any third-party access to source code management.

The incident was promptly reported to relevant customers, and the appropriate data protection authorities and law enforcement were notified.

Although there was no evidence to confirm that data was successfully exfiltrated, Tricentis Flood engaged a third party specialist to investigate whether potentially impacted data is present on other internet platforms out of an abundance of caution. To date, no Flood customer data has been found.

Tricentis Flood greatly values our customers and regrets any inconvenience this incident may have caused. We are committed to providing the best and most secure load testing infrastructure for our customers, and we look forward to continuing to provide you exceptional service in the future.

We have completed investigations and are able to trace the origin of the attack. This includes working with third party service providers.

Technical remediation continues around source code management, secrets management and a configurable storage solution for customers. We anticipate rolling out configurable storage for hosted customers in the coming week after more internal testing.

We are happy to share indicators of attack / compromise with security teams from our customer base.

Please contact support@flood.io if you have any questions. Thank you for your patience.

We are rolling out changes to our security management systems shortly. We will be running a short planned outage to make these changes and advise here once those changes are complete. Apologies for the disruption to service.

As a precaution, we will be rotating all user passwords in our main application database shortly. This is because we are modifying the way in which our third-party SSO provider communicates with Flood.

This will require you to reset your user password if using password-based authentication to access Flood.

You may have seen an incident reported recently regarding a security breach at Tricentis Flood. We want to provide preliminary information about what has happened, what information was involved, and what steps we are currently undertaking to help protect you.

What Happened?
---
On 21 June 2020, automated systems detected a security breach of services provided by Tricentis Flood. We took immediate action to contain the breach and have since been carrying out further investigation, remediation and notification measures. The incident is reported on our Flood incident status page: https://status.flood.io/incidents/gsw7vx8cqxk5

This incident is also closely related to last week's strategic Cyber attacks on Australian authorities and businesses: https://www.abc.net.au/news/2020-06-19/foreign-cyber-hack-targets-australian-government-andbusiness/12372470

We believe the purpose of the attack was to steal customer data and, credentials that allow Flood to orchestrate load testing infrastructure for customers through third-party cloud providers. These credentials are used by a subset of Flood customers who utilize our 'hosted' grid infrastructure.

What Information Was Stolen?
---
Potentially a cryptographic hash of user passwords has been obtained. While we use an irreversible hashing algorithm based on Bcrypt, we have already scrambled passwords as a precaution. This means if you use username and password authentication to access Flood, you will need to reset your password.

Additionally, the API token that you use to programmatically access Flood may have been revealed. We have already rotated all user's API tokens to prevent unauthorized use.

The following specific user information may have been obtained from your account:
- This email address
- Your first name
- Your last name
- Your nickname
- Your company size
- Your employee role

Potentially the following specific account information has also been obtained:
- Your account name
- Your address line
- Your suburb
- Your country
- Your postal or zip code

If your account has a history of using third party cloud provider credentials, we believe your credentials in the form of access key identifiers and their secrets may have been revealed. While we encrypt these credentials in our database using an AES-256-GCM algorithm, it is possible that these credentials may be decrypted.

As we cannot rotate these credentials on behalf of our customers, we ask that you either delete/replace the credentials themselves or change the associated secret.

Next Steps
---
We cannot determine if any customer test data you have provided to us, in the form of test plans and supporting test data has been obtained from your account. However, we are working on the assumption this has occurred. We will be introducing changes to the way we manage customer test data through the provision of configurable storage soon. This means we will be taking an alternative approach to persisting and encrypting customer test data. We do not plan to migrate any customer test data provided to us before this impending change.

We are releasing this message to impacted customers via email. We will release another notice to account owners via email and this status page when this change is made. We will also provide a way for you to obtain your test data, including the option to destroy it permanently.

We will be providing a detailed post-mortem of this incident at our blog, once we have completed these steps.

For More Information
---
For status updates regarding this incident, please subscribe to updates here on https://status.flood.io

If you have any questions, please feel free to contact our team at support@flood.io

Thank you for your patience and support throughout this challenging issue.

We are currently modifying our storage subsystem in response to the security incident. Please bear with us while we make the changes. You may temporarily be unable to upload new files to streams, whilst we make this change.

We are in the process of reviewing and updating weaker parts of our infrastructure in response to the security breach.

At this stage, we are still maintaining normal operations, but flagging components as 'degraded' while we conduct this work. This also makes this incident visible from our support portal.

Please don't hesitate to contact support@flood.io for assistance or if you have questions.

As a precaution, we have reset the user password and personal API access token for all Flood users. Social logins are not impacted.

You can reset your password from the login page at https://app.flood.io/login

You can reset your API access token from the API page at https://app.flood.io/account/api

If you have any difficulties, please don't hesitate to contact support@flood.io for assistance. Thank you for your continued patience with this.

We are currently investigating the security incident reported yesterday in more detail. We will use these means to inform you of any updates.