On Friday, October 5th, Recurly was notified by a vendor, Apollo.io, of a security exposure created in their server environment. Recurly used Apollo to provide Recurly with sales lead and marketing services. Apollo informed us that they believe the data leak included Recurly data such as customer names and contact information. Many of you may have already read about this incident in this TechCrunch article.

Timeline according to Apollo.io:

  • A server in Apollo’s environment was misconfigured on July 16th, 2018

  • Recurly synced Salesforce data with Apollo for the first time on July 18th, 2018

  • Apollo closed the publicly available server setting on July 25th, 2018

  • Apollo notified Recurly of the exposure for the first time on October 5th, 2018

Recurly firmly believes that in order to be trusted with the responsibility of handling sensitive data, firms must be committed to handling all matters with the utmost speed, clarity, and transparency.

We deeply regret that this event occurred. At the same time, we want to assure you that no Recurly application or transaction data was exposed in this incident. In addition, none of Recurly’s own systems and networks were impacted – only those of our vendor.

After learning of the event, Recurly immediately shut down Apollo’s access to Recurly’s information and ended its use of Apollo’s services. In addition, Apollo.io has confirmed that they have deleted all Recurly sales data held in their systems.

For further clarity, Recurly did not share application data, transaction data, or log-in credentials with Apollo, and therefore that information was not exposed by this incident.

What was exposed in the Apollo security event:

Recurly’s Salesforce data shared with Apollo included the following fields of information:

Salesforce Lead/Contacts

  • name

  • title and current employment

  • email

  • phone

  • location (e.g., region, state, country, etc.)

  • status of that contact (hash encoded)

Salesforce Account

  • name

  • company website

  • the status of that account encoded as an 24-digit hexadecimal ID

Salesforce Opportunities

  • name

  • company name

  • opportunity state (open, closed, won, lost, etc.)

  • opportunity size

We suggest that you should be extra vigilant against spear-phishing campaigns that request login credentials or other sensitive information. We remind you that Recurly never requests sensitive information to be provided by way of an email or phone call. As a precaution, we also recommend that you maximize your Recurly security posture by using strong passwords, enabling 2-factor authentication (2FA) in our application, and leveraging our single sign-on (SSO) capability.

If you have questions, please contact your Account Manager, Customer Success Manager, or Recurly Technical Support team (in-app chat or security-support@recurly.com).

Sincerely,

Dan Burkhart

CEO, Recurly Inc.