Software bug (now resolved) could have allowed unauthorized account access

On March 26, 2021, iNaturalist discovered a software bug that could allow some users to access another user’s account via the iPhone app. As of this writing, iNaturalist is aware of only one instance where this unauthorized access has occurred, and has fixed the software bug. While we cannot determine if additional accounts were accessed, we can say which accounts could have potentially been accessed. This includes any iNaturalist accounts that do not have an associated email address, which amounts to less than 2% of total users. Out of an abundance of caution, all potentially affected users have been signed out of their accounts in the iPhone app.

We believe the only personal information that could have been accessed is coordinates of obscured or private observations. The only accounts that could have been accessed did not have email addresses associated with them, so that information could not have been obtained.

However, affected users could have had their account or observations deleted by the unauthorized user. If you think your account has been affected, please contact us at help+breach@inaturalist.org. We may be able to recover lost content if your account or observations were deleted as a result, but unfortunately we cannot guarantee this.

We sincerely apologize for this oversight and are committed to ensuring the security of your observations and personal information. As we continue to investigate this issue, we’ll be sure to keep you posted via our blog with any updates. To check if your account was potentially affected, please visit the FAQ below.

Thank you for being a part of the iNaturalist community. We've created a thread in the Forum for discussion if you have any questions.

—The iNaturalist Team

FAQs

How do I know if my account was potentially affected?

Only iNaturalist users who do not have an email address associated with their account are potentially affected, which may include anyone who created their iNaturalist account using Apple, Facebook, or Google. To check if your account is associated with an email address, please view your account settings. You can also look for any observations associated with your account that you did not take. If you think your account has been affected, please contact us at help+breach@inaturalist.org.

Is there evidence of malicious intent?

No. The one incident we are aware of was self-reported and unauthorized access to another user’s account was obtained inadvertently. As of this writing, we do not have evidence of any other incidents of unauthorized access.

What kind of personal information could have been accessible before the software bug was fixed?

We believe the only personal information that could have been accessible to an unauthorized user is the coordinates of obscured or private observations. It is also possible that past observations or the account itself could have been deleted.

What can I do if I think someone has obtained unauthorized access to my account?

If you think someone has obtained unauthorized access to your account, please contact us at help+breach@inaturalist.org.

Posted by kueda kueda, March 27, 2021 02:05