Article Lead Image

Data protection company Code Spaces shutters after hackers destroy data

Let this be a lesson: Back up everything.  


Rob Price


Code Spaces, a source code hosting service that offers its users a suite of project management tools, has closed permanently after a devastating hack totally wiped vast swathes of vital data.

The 7-year-old company’s website now appears to be offline, but the company issued a statement after the hack became known, a cached version of which is available here. “On Tuesday the 17th of June 2014 we received a well orchestrated DDOS against our servers,” the statement reads; “On this occasion… the DDOS was just the start.

“An unauthorised person who at this point who is still unknown… had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them… Reaching out to the address started a chain of events that revolved arount [sic] the person trying to extort a large fee in order to resolve the DDOS.”

The Code Spaces team began to investigate and attempted to retake control of their control panel—at which point “upon seeing us make the attempted recovery of the account [the hacker] proceeded to randomly delete artifacts from the panel. We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI’s, some EBS instances and several machine instances.

“In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.”

So catastrophic are the actions of the as-yet unknown hacker—”all we can say is that we have no reason to think it’s anyone who is or was employed with Code Spaces”—that the company has been forced to make the decision to close permanently.

“The cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for,” the company’s statement reads, “will put Code Spaces in a irreversible position both financially and in terms of on going credibility.”

Code Spaces had previously promised to be able to protect user data from such attacks, offering “full redundancy” and describing how they “have invested a great deal of time and effort in developing a real-time backup solution that allows us to keep off-site, fully functional backups of your data.”

“Backing up data is one thing, but it is meaningless without a recovery plan, not only that a recovery plan – and one that is well-practiced and proven to work time and time again,” a cached version of their website reads. “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.”

Code Spaces’ data was hosted by Amazon Web Services (AWS), which offers a wide range of “multi-factor authentication” security measures. It’s unclear at this time which measures Code Spaces were employing, and how the hacker was able to circumvent them.

Security expert Rob Ayoub told CSO Online that whilst the details of the case are still not fully known, he “hope[s] that Amazon might offer some forensics help, because I feel ultimately there is a shared responsibility for security between Amazon and its customers.”

Company representatives on Twitter have admitted that they had not implemented two-stage authentication, and they believe a compromised username and password was how the hacker gained initial access to their AWS control panel.

@chrismckee No this was our mistake, i can only assume our login and password was comprimised

— CodeSpaces (@CodeSpaces) June 18, 2014

The company has remained active on social media, fielding questions from the public. A “full detailed report” will, they promise, be released soon.

@dotcommike our priority right now is supporting our customers, but a full detailed report will be published soon

— CodeSpaces (@CodeSpaces) June 18, 2014

Photo via The National Archive (U.K.) / Wikimedia Commons (CC 3.0)

The Daily Dot