NutriBullet was hit by a malware attack in February that continued for over a month. Two days ago, RiskIQ published a blog showing that they had tried to tell NutriBullet about the breach but the company had ignored them. Despite other attempts to contact NutriBullet and RiskIQ voluntarily taking down the criminals infrastructure, it took until the whole thing went public for NutriBullet to act.
As a result of various news stories, NutriBullet issued a statement saying:
“NutriBullet takes cybersecurity and personal privacy extremely seriously and is dedicated to the protection of our customers. Our IT team immediately sprang into action the morning of March 17 upon initially learning about a possible breach. Within hours, the company’s IT team promptly identified malicious code and removed it, which has since been confirmed by RiskIQ.
“Moreover, we have launched forensic investigations to determine how the code was compromised and have updated our security policies and credentials to include Multi-Factor Authentication as a further precaution. Our team will work closely with outside cybersecurity specialists to prevent further incursions, and we thank RiskIQ for bringing this issue to our attention.”
NutriBullet statement not entirely factual
NutriBullet also tweeted to @journoian after we published the story. In a series of tweets it reiterated: “NutriBullet takes cyber security and personal privacy seriously and is dedicated to the protection of our customers. We would never ignore a notification of a cyber security issue. Our team is working with outside security specialists to prevent further incursions.”
It all sounds so proper. But it isn’t. Let’s take that claim: “We would never ignore a notification of a cyber security issue.” It turns out that is not true, at least in this case. When challenged about the gap between the 20th February and the 17th March, NutriBullet responded: “NutriBullet would never ignore a notification of a Cybersecurity issue. RiskIQ reached out to unofficial channels.”
To confirm this, Enterprise Times contacted Yonathan Klijnsma, the author of the RiskIQ blog and how he contacted NutriBullet. He replied: “Hi Ian, we used their official support channel first. After not receiving a response we went and contacted higher up officials of the company via LinkedIn as we stated in our blog. Their support claimed a 24-48 hour response which we never received.”
The story continues to change
When we challenged NutriBullet with this information we were asked to put questions into a private message. As everything up to this point was in public, we decided to press them. We also contacted Finn Partners, NutriBullet’s PR agency. We sent them images of the Twitter conversation and asked for further comment.
Finn Partners responded with the following statement from NutriBullet:
“As we backtrack through our contact log, to our knowledge there was one attempt to connect with NutriBullet over the website, however it was flagged as Phishing Spam; 18 days later, RiskIQ’s Yonathan Klijnsma reached out to an executive via LinkedIn, an unofficial company channel which went unseen as said executive is not as active on that social media platform. No one called the NutriBullet’s 800 customer service number, nor emailed firstname.lastname@example.org.”
First of all, why would you simply mark as spam an email from a highly respected security company warning you of a breach? It is a relatively easy thing to verify if an email is real or spam. This comment does not ring true. Instead, it sounds like the automated spam system kicked in and nobody at NutriBullet checks the spam folder.
So what about that LinkedIn claim?
NutriBullet has also questioned when Klijnsma attempted to contact an executive via LinkedIn. It claims he waited 18 days and that the executive isn’t very active on that platform.
Once again, when fact checked Klijnsma has dispelled that myth. His timeline of events goes:
- Reached out to the CEO (he accepted me on LinkedIn within a few hours, clearly active on social media)
- Reached out their CISO on LinkedIn
- Took down bad guys infrastructure to protect their customers
In Klijnsma’s blog post he points out that the first takedown of infrastructure was just days after the breach occurred. That would mean the LinkedIn contacts came before that. The claim that it took 18 days and that the executive (note the singular) does not use LinkedIn can only apply to the CISO not the CEO. Once again, the facts of what happened and when are being deliberately distorted.
So how did NutriBullet learn about the breach?
Remember that email address in the NutriBullet response? It turns out that both companies share the same Public Relations agency. On 17th March, RiskIQ handed a copy of the blog to Finn Partners in the UK. That same day, Finn Partners in the US would have seen the release on the company system. It would have been flagged to the US team looking after NutriBullet because it references them.
It is likely that the US PR agency team passed a copy of the blog to the internal comms team at NutriBullet. They, in turn, passed it to the security team who realised they needed to do something. The point here is that had they been different PR agencies, nothing would have happened until AFTER the blog was live.
Since then, the code has been removed and that has been verified by RiskIQ. Security processes have been changed at NutriBullet, at least according to their statement. This means that customers should be able to trust the site again. It will be interesting to see what the forensic team reports. After all, it is clear that data was being exfiltrated. How long before customers are contacted? Will all customers who visited the site in that period be offered any form of fraud protection? We wait and see.
Enterprise Times: What does this mean?
There are so many things wrong with this situation. If you are not going to have a simple way for a security company to contact you about a breach you have to think again. To have nobody looking at your spam folders on a regular basis to see if something has been miscategorised also raises questions. Somebody clearly dropped the ball here.
While using LinkedIn is not a slam dunk approach, the fact is that it is a route that a number of security researchers use. The other approach is to use Twitter but that could create a social storm. RiskIQ tried to avoid that and NutriBullet seems to be using that to blame them for delays in acting on the software breach.
I have spoken to more than 30 security researchers this morning. Not a single one said using the PR agency would be something they’d naturally do. Only three said that they would consider using a general customer service number, especially as most organisations outsource their customer support. Using both routes puts information about a security breach in the hands of a third-party.
There are also questions over how the NutriBullet development team monitor the website. The responses indicate that the company has an internal security team. Perhaps they should be involved in the change management process and have visibility over all changes to the website.
For now, the security hole is closed. Let’s hope lessons have been learned.