[Security Notice] Prevent illegal access by not reusing passwords with other services

Hi Nulab users,

Recently, we detected an incident where a third party illegally attempted to log in to some Nulab accounts.

We believe that this is a credential-based attack, presumably using password lists (containing email addresses and passwords) obtained from other channels to try to log in to various Nulab accounts. The attempts and illegal logins were detected and confirmed to be unauthorized, and passwords for the affected accounts were disabled to prevent further access.

After investigating our systems, we found no evidence of security loopholes, nor any customer information (including passwords) leaked from Nulab that could have led to this incident.

We want to inform all users and provide further information on how you can secure your accounts to prevent similar occurrences in the future.

  • Dates which the attacks occurred: December 5 to 8, 2020
  • Number of illegal login attempts: Approximately 100,000
  • Number of accounts attacked: Approximately 1,500
  • Number of accounts illegally logged in: Approximately 760

Our response after confirmation of unauthorized access

We disabled the passwords of the affected accounts on December 9, 2020, at 6.00 pm (JST), so they could not be logged into using the previously set passwords. Subsequently, we emailed all of the affected users informing them to reset their passwords.

Impact on users due to unauthorized access

If your account was illegally logged into, there is a possibility that the third party can see the information contained within your Nulab service(s) (i.e., Backlog, Cacoo, Typetalk).

However, personal information such as credit card numbers was not leaked. In addition, there is no evidence that passwords were changed during unauthorized logins.

In order to prevent further unauthorized access, users with affected accounts will not be able to log in, until they have reset their passwords.

Help strengthen your Nulab account’s security

Set up two-factor authentication

We recommend that you set up two-factor authentication to strengthen the security of your account in case of illegal login attempts. Two-factor authentication provides an additional step of authentication with a mobile device or biometric device, in addition to your password when you’re logging in to your Nulab account. This helps prevent unauthorized logins, even if your password becomes known to a third party.

See our guide on how to set up two-factor authentication

Use unique passwords

It is also possible that the passwords of the affected Nulab accounts were used in other sites and leaked from them. We recommend that you do not use the same password for multiple accounts.

See our guide on managing and changing your password

Enable login alerts

Enabling login alerts ensures that you will receive an email notification when your Nulab account is logged into with a new browser or device. This allows you to be alerted to any unauthorized logins.

See our guide on turning login alerts on/off

Thank you for using Nulab’s services.

We will continue to implement security measures to ensure that all users have peace of mind when using our services. If you have any questions regarding this incident, please feel free to contact us.