Blog Categories:

Sales Resources:

Contact Us
Request a Quote
Request a Demo

Never Share Your Login Information!

By design evogov | September 19th 2019

Terms of Service Updated Today Due To Security Event

We updated our Terms of Service (TOS) Agreement (www,evogov.com/tos) this morning in response to a security event that was created by a customer.
Item #7 of our TOS has this new language:


"WARNING: SHARING OF ANY USER LOGIN INFORMATION TO EVOGOV, INC. SERVICES WITH A THIRD PARTY IS A VIOLATION OF THESE TERMS OF SERVICE AND MAY LEAD TO IMMEDIATE TERMINATION OF ALL SERVICES FOR YOUR ORGANIZATION. YOU ARE RESPONSIBLE FOR SECURING YOUR LOGIN INFORMATION, AND ANY LIABILITIES CREATED FROM THE SHARING OF YOUR ACCOUNT INFORMATION. ANY SECURITY-RELATED CLEANUP WORK PERFORMED BY EVOGOV, INC. RELATED TO YOUR SHARING OF LOGIN INFORMATION WILL RESULT IN ADDITIONAL FINANCIAL CHARGES AND MAY RESULT IN IMMEDIATE TERMINATION OF YOUR ACCOUNT WITH NO REFUND."

What Happened - An Opportunity to Discuss Login Security

I want to tell you about an event that just happened regarding the sharing of user login information to illustrate how risky this can be.
We just responded to an incident where the administrator of a city's website shared their personal admin login information with a local search engine optimization (SEO) company.
The SEO company uses offshore labor and does not share that fact with their customers.
Our staff noticed through our live chat system that there was an admin login happening on this city's website from the Philippines, using the website administrator's credentials.
This created an immediate security response from EvoGov.

Security Actions We Took:

  • We contacted the city immediately and confirmed that the city's website administrator was in fact NOT in the Philippines.
  • We asked if the admin's login was shared, and were told "no". This later turned out to be untrue.
  • The user account for the website admin was deactivated by us.
  • The IP address of the user in the Philippines was blocked by us.
  • The entire country of the Philippines was blocked by us using an application firewall on Amazon AWS.
  • The entire CMS admin for the city was deactivated for all users since an admin account was being used.
  • All files, pages, and applications touched by this login during this session were deactivated and taken offline.
  • Since this was an admin login with full user-editing privileges, ALL user accounts at the city will now need new passwords.

Obviously this is a ton of work for us, but we take security of our customer websites VERY seriously. We have to.
The website administrator was out of town, and as I was researching the incident I found an old support email from the owner of the SEO company asking us about our CMS.
I wondered if the SEO company was somehow using the website admin's login to work on the website, so I called the SEO company owner on the phone.
He stated "we only use local workers, so it couldn't have been us". Yet, he mentioned his employee using our chat service for help with placing an image into the website.
I then looked at the chat logs from his employee and I see this:

Our chat system captures the IP of the visitor, and it also does a quick geolocation showing us that this user was in fact located in the Philippines.
Basically, the SEO company owner was lying to me, or his employee was lying to him about his location. Either way, it is bad news.
I went back to the website administrator and asked him once again if it was possible that he might have shared his login with the SEO company.
He reluctantly admitted that he did.

The Risks

Last month, 23 towns in Texas were hit with a huge ransomware attack: https://www.businessinsider.com/texas-ransomware-attack-affects-23-towns-single-attacker-2019-8
Luckily, none of the towns in Texas that are affected by that are our customers, but imagine if someone from outside the USA placed a virus link on the home page of a city website, or on their bill-pay form.
The results would be catastrophic.

So the lessons are:

  1. NEVER share your login information with anyone.
  2. Sharing login information is a violation of our Terms of Service.
  3. Cleanup of a security issue due to sharing login information will result in a financial charge and perhaps account termination.
  4. Know your vendors - you need to know for sure if your vendor is using offshore labor (For the record EvoGov does NOT use offshore labor for anything).
  5. If you catch a vendor lying to you - fire them!

If you have any questions about this post, please let me know.

John McKown, President
EvoGov, Inc.
jmckown@evogov.com

Posted in: