FireEye Provides Update on Allegations of Breach

I wanted to provide you an update of our investigation into allegations made earlier this week that FireEye had been breached. As background, on July 31, 2017 an anonymous individual (Attacker) claimed he had breached our corporate network. After six days of intensive investigation, we would like to provide our preliminary conclusions:

  • The Attacker did not breach, compromise or access our corporate network, despite multiple failed attempts to do so.
  • The Attacker did not breach, compromise or access the Victim’s personal or corporate computers, laptops or other devices.
  • We confirmed the Victim’s passwords and/or credentials to his personal social media and email accounts were among those exposed in at least eight publicly disclosed third party breaches (including LinkedIn) dating back to 2016 and earlier.
  • Starting in September 2016, the Attacker used those stolen passwords and/or credentials to access several of the Victim’s personal online accounts, including LinkedIn, Hotmail and OneDrive accounts.
  • The Attacker publicly released three FireEye corporate documents, which he obtained from the Victim’s personal online accounts.
  • All of the other documents released by the Attacker were previously publicly available or were screen captures created by the Attacker.
  • A number of the screen captures created by the Attacker and posted online are misleading, and seem intentionally so. They falsely implied successful access to our corporate network, despite the fact that we identified only failed login attempts from the Attacker.

The Victim supports a very small number of customers. Two customer names were identified in the Victim’s personal email and disclosed by the Attacker. We believe these are the only two customers impacted by this incident. 

Since learning of this incident, we took actions that include, but are not limited to the following:

  • We contacted the two identified customers as soon as we learned of this incident and have kept them apprised of the situation throughout the week.
  • We immediately contained the Victim’s systems.
  • We collected and reviewed forensic data from the Victim’s systems.
  • We disabled the Victim’s FireEye corporate accounts.
  • We worked with the Victim to regain control of his personal online accounts.
  • We worked with the Victim to secure his personal online accounts, including implementing multi-factor authentication where possible.
  • We communicated to all FireEye employees, both verbally and in writing, a reminder to be vigilant and provided detailed steps to best secure their personal accounts.
  • We worked with the Victim and his online third party service providers to obtain any available log data that could assist our investigation.
  • We reviewed all data sent to and from FireEye email to the Victim’s online accounts.
  • We reviewed authentication and access activity on the Victim’s corporate, single sign-on (SSO), multi-factor, and third-party accounts.

Our investigators continue to work around the clock. While we do not anticipate any significant new discoveries, we will update you if any relevant information emerges. In the meantime, if you have any further questions, please do not hesitate to reach out to me, Steven Booth, CSO, directly at steven.booth@fireeye.com.

We understand the trust our customers place in FireEye, and we will continue to do all we can to earn and keep that trust. We will also engage with law enforcement and intelligence agencies as appropriate, as we routinely do to identify and prosecute cyber criminals. We thank you for your support during this ongoing investigation.