Distributed Brute Force Attack on FullTraffic
Since yesterday afternoon, approximately at 2 PM, we began to see signs of an attack called "Distributed Brute Force" trying to gain access to any of out user's accounts.
Since we work with CloudFlare to prevent such attacks that could allow access to private information, we immediately turned on a strong barrier that completely blocks access to the site when it detects that the hit is not from a real user. During that period some users may have seen a page telling them to hold a few seconds to access FullTraffic while performing some extra checks. After that first check no extra filtering was needed (no extra delay).
A "Brute Force" attack attempts to guess user passwords using any possible combination. However, we found that the attacker was testing various email addresses and not one specifically nor even those used by our users, so that makes success in this type of attack almost impossible.
A few minutes after having detected the attack, we implemented an extra safety measure adding a CAPTCHA to our login page, thus slowing any attempt to even try combinations of usernames/passwords without successfully complete the CAPTCHA first.
Anyway, the attack hasn't stopped and is still trying thousands of combinations of usernames and passwords by the minute, but there's nothing you need worry about since NONE of these attempts have passed the CAPTCHA, so those username/password combinations weren't even tested.
Just as an FYI, ALL sensitive information on our servers is encrypted using a unique SALT per user. So even if an attacker had the opportunity to access a specific account there's not much to from it, since even credit card numbers are not in our servers (we only keep a "key" that allows future charges) and so it would be completely useless to anyone outside FullTraffic . Also account passwords are encrypted in such a way that not even a FullTraffic team member can read your password.
Our team is already working proactively with CloudFlare to stop the attackers. However, during the next few days, you may encounter the need to complete the CAPTCHA to access your account. Once the attack is mitigated, this measure will be removed and will be automatically re-added if the system detects another attack.