Exclusive: OANDA's Server Hacked but No Harm to fxTrade

by Steven Hatzakis
  • Forex Magnates investigates after OANDA just announced it was hacked into on Monday, and an unauthorized access exposed customer data related to non-fx trading (information services) in certain of its older legacy products.
Exclusive: OANDA's Server Hacked but No Harm to fxTrade
Join our Telegram channel
OANDAlogo

Forex Magnates has learned that OANDA Corporation had two of its legacy products hacked into early Monday morning (NY Time), as a security vulnerability in two of its non-FX trading (information only) services was exploited by an attacking hacker.

The culprit gained unauthorized access of the firm's fxPense product and accessed data related to a rate subscription service, potentially including certain usernames, passwords, emails and less than 30 expired credit card data for affected clients, Forex Magnates confirms. The company also urged users registered for its fxPense expense reporting tool service to change passwords used anywhere else where they may have used the same log in details, as a precaution.

It’s important for traders to know that the firm's fxTrade services, including clients' trades and clients' funds were not affected, according to the statement OANDA sent to clients notifying them of the event, and as told to Forex Magnates' reporters by OANDA’s Vice President of Trading, Courtney Gibson, who provided further feedback below regarding the nature of the incident.

Courtney Gibson, VP of Trading, OANDA Corporation

Courtney Gibson, VP of Trading, OANDA Corporation

Mr. Gibson said to Forex Magnates' reporters during a phone call following the event, that the company’s 24-hr monitoring system had identified the unauthorized access and that the firm has temporarily taken the affected products offline, while it considers whether to either discontinue them or patch their apparent software vulnerability, and has also engaged a 3rd party security consultant while preparing to do a full security audit for its systems.

The company was quick to detect the intrusion, audit the extent of the attack and take steps to notify clients and regulators of the breach, including informing the U.S. Federal Bureau of Investigation (FBI) and related authorities. The firm has once before been the target of a hacker who gained unauthorized access, reporting as even the largest of companies including regulatory agencies

Forex Magnates opines that while the event didn't have to be reported to agencies such as the NFA or CFTC, or where OANDA is regulated in other jurisdictions, the firm did so anyway for the sake of keeping its relationship with its regulators updated in terms of the latest developments, even though the attack didn't involve its regulated activities (rate subscription service & FX expense reporting tool).

Information for less than 30 credit cards may have been stolen by the hacker, yet the data was said to be over 5 years old, with all the cards having already expired, yet OANDA cautioned users to take preventative measures to alert their credit card providers and said to offer them a free credit monitoring service for a full year, as per the official statement below.

Statement OANDA Sent to Clients Last Night Regarding Monday’s Breach:

An important notice was just issued to OANDA customers informing them of an unauthorized breach which occurred on the morning of Monday March 3, 2014. Please note that this incident did not impact the fxTrade services, client trades or funds.

However, a historical log of some Payments that OANDA received via PayPal (prior to 2007) was accessed. No passwords or personally identifiable information, outside of customer names and email addresses, were exposed.

Usernames and passwords for OANDA fxPense may have been accessed (these accounts are not related to fxTrade). Customers registered for this service who use the same username and password on any other external websites are strongly recommended to change those passwords.

Additionally, fewer than 30 expired credit card numbers may have been accessed during this breach. While these credit card numbers have been expired for 5+ years, out of an abundance of caution we strongly urge those customers affected to alert their credit card provider, as well as review the transactions on their account made this week to verify that no unapproved charges have been made.

We are in the process of arranging to offer those clients one year of complimentary credit monitoring service to provide further protection.

Immediately upon detecting the breach, the means of access was disabled and OANDA has alerted the Federal Bureau of Investigation (FBI), our regulators and the relevant privacy offices to report the attack.

We have completed a careful review of our system services and logs, and are currently undertaking an additional study of security across all of our systems, above our regular security audits. This breach was limited to one server involved with historical data and was not connected to our fxTrade system.

OANDA takes the protection of customer information very seriously, and we regret that this incident occurred. OANDA is committed to working with our customers to help minimize any inconvenience they may experience as a result.

We will provide further details as we confirm and learn any additional information.

Sincerely, The OANDA Team

The Other [Good] Side of the Hacking

In terms of computer hacking, in its positive form when used to innovate a method to carry out specific tasks in either a competition or security analysis, OANDA has recently supported an event to find talented programmers who gathered at the FinTech Hackathon, to compete against one another in hacking challenges.

At a recent such event in New York City, there were a total of 18 APIs offered by the event’s sponsors that included the likes of Dow Jones and Bloomberg for developers to choose from, and OANDA noted on its website that of the 31 teams that competed at this hackathon, a handful of them chose to build their hacks on the OANDA API.

Events like these encourage developers to build out new offerings, as crowdsourcing and 3rd party developers and related app-markets continue to be an integral part of available computer software offerings and marketplaces.

Forex Magnates had just covered last week when OANDA had a few of its key websites and platforms go offline for clients due to a disruption in internet connectivity, which was blamed on the company's Internet Service Provider (ISP), which lasted for around two hours, and days after we interviewed the company's CEO, Ed Eger, during an exclusive interview about the new upcoming things the firm has planned under his new leadership.

OANDAlogo

Forex Magnates has learned that OANDA Corporation had two of its legacy products hacked into early Monday morning (NY Time), as a security vulnerability in two of its non-FX trading (information only) services was exploited by an attacking hacker.

The culprit gained unauthorized access of the firm's fxPense product and accessed data related to a rate subscription service, potentially including certain usernames, passwords, emails and less than 30 expired credit card data for affected clients, Forex Magnates confirms. The company also urged users registered for its fxPense expense reporting tool service to change passwords used anywhere else where they may have used the same log in details, as a precaution.

It’s important for traders to know that the firm's fxTrade services, including clients' trades and clients' funds were not affected, according to the statement OANDA sent to clients notifying them of the event, and as told to Forex Magnates' reporters by OANDA’s Vice President of Trading, Courtney Gibson, who provided further feedback below regarding the nature of the incident.

Courtney Gibson, VP of Trading, OANDA Corporation

Courtney Gibson, VP of Trading, OANDA Corporation

Mr. Gibson said to Forex Magnates' reporters during a phone call following the event, that the company’s 24-hr monitoring system had identified the unauthorized access and that the firm has temporarily taken the affected products offline, while it considers whether to either discontinue them or patch their apparent software vulnerability, and has also engaged a 3rd party security consultant while preparing to do a full security audit for its systems.

The company was quick to detect the intrusion, audit the extent of the attack and take steps to notify clients and regulators of the breach, including informing the U.S. Federal Bureau of Investigation (FBI) and related authorities. The firm has once before been the target of a hacker who gained unauthorized access, reporting as even the largest of companies including regulatory agencies

Forex Magnates opines that while the event didn't have to be reported to agencies such as the NFA or CFTC, or where OANDA is regulated in other jurisdictions, the firm did so anyway for the sake of keeping its relationship with its regulators updated in terms of the latest developments, even though the attack didn't involve its regulated activities (rate subscription service & FX expense reporting tool).

Information for less than 30 credit cards may have been stolen by the hacker, yet the data was said to be over 5 years old, with all the cards having already expired, yet OANDA cautioned users to take preventative measures to alert their credit card providers and said to offer them a free credit monitoring service for a full year, as per the official statement below.

Statement OANDA Sent to Clients Last Night Regarding Monday’s Breach:

An important notice was just issued to OANDA customers informing them of an unauthorized breach which occurred on the morning of Monday March 3, 2014. Please note that this incident did not impact the fxTrade services, client trades or funds.

However, a historical log of some Payments that OANDA received via PayPal (prior to 2007) was accessed. No passwords or personally identifiable information, outside of customer names and email addresses, were exposed.

Usernames and passwords for OANDA fxPense may have been accessed (these accounts are not related to fxTrade). Customers registered for this service who use the same username and password on any other external websites are strongly recommended to change those passwords.

Additionally, fewer than 30 expired credit card numbers may have been accessed during this breach. While these credit card numbers have been expired for 5+ years, out of an abundance of caution we strongly urge those customers affected to alert their credit card provider, as well as review the transactions on their account made this week to verify that no unapproved charges have been made.

We are in the process of arranging to offer those clients one year of complimentary credit monitoring service to provide further protection.

Immediately upon detecting the breach, the means of access was disabled and OANDA has alerted the Federal Bureau of Investigation (FBI), our regulators and the relevant privacy offices to report the attack.

We have completed a careful review of our system services and logs, and are currently undertaking an additional study of security across all of our systems, above our regular security audits. This breach was limited to one server involved with historical data and was not connected to our fxTrade system.

OANDA takes the protection of customer information very seriously, and we regret that this incident occurred. OANDA is committed to working with our customers to help minimize any inconvenience they may experience as a result.

We will provide further details as we confirm and learn any additional information.

Sincerely, The OANDA Team

The Other [Good] Side of the Hacking

In terms of computer hacking, in its positive form when used to innovate a method to carry out specific tasks in either a competition or security analysis, OANDA has recently supported an event to find talented programmers who gathered at the FinTech Hackathon, to compete against one another in hacking challenges.

At a recent such event in New York City, there were a total of 18 APIs offered by the event’s sponsors that included the likes of Dow Jones and Bloomberg for developers to choose from, and OANDA noted on its website that of the 31 teams that competed at this hackathon, a handful of them chose to build their hacks on the OANDA API.

Events like these encourage developers to build out new offerings, as crowdsourcing and 3rd party developers and related app-markets continue to be an integral part of available computer software offerings and marketplaces.

Forex Magnates had just covered last week when OANDA had a few of its key websites and platforms go offline for clients due to a disruption in internet connectivity, which was blamed on the company's Internet Service Provider (ISP), which lasted for around two hours, and days after we interviewed the company's CEO, Ed Eger, during an exclusive interview about the new upcoming things the firm has planned under his new leadership.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}