
Wooting Hub Data Breach - Postmortem
Thursday late night we experienced a data breach to the Hub. Customers were able to see other customers information on the Hub. We estimate this happened to about 10 people.
Full timeline - 11th of July (GMT+2)
00:27 AM -> Our change with the issue went live
00:36 AM -> We received the first report on discord
1:04 AM -> Killed server to stop any requests
1:06 AM -> Operations back to normal with fix live
Details of information that was leaked
- First / last name + address + phone number
- VAT number (if applicable)
- Customs ID (if applicable)
- Order numbers and line items
- Status of the order and shipping / tracking information
To be clear, the above are the only things that were part of the breach.
What was not leaked nor possible includes
- Any changes to the order like address changes, refunds or order edits
- Any payment information, like last 4 digits of creditcard
- Any passwords or other authentication cookies
What happened
We tried an approach with caching a Customer's orders for faster load times and less load on our server. The service we use just did not work as expected and ending up sharing the cache with everyone else. Essentially:
- Starting point, cache is empty
- User #1 logs in, their result gets cached for up to 10 mins
- User #2 logs in, they get user #1 result.
- Repeat for all users that login in this time
- After 10 mins cache gets cleared
- Repeat from step 1
Because the total incident time was 40 minutes and the cache up to 10 minutes, the amount of people that had information leaked from is limited. There are probably a few hundred people that saw the other people's information, we're still figuring out the exact number.
In technical terms: for our get orders route, we set the cache-control
header to public
, in combination with a Vary
header to only allow the authenticated user access to the data. We realised too late that Cloudflare does not respect the Vary
header
What we've done since
- The issue was quickly reverted by our developers (thanks Heidi, Diogo & Tony).
- We reported the incident to the Dutch data protection authority.
- Every individual affected has been contacted individually that their personal info was or might have been breached.
- We’re critically reviewing our code reviewing and deploying process.
What you can expect as a customer
- If they did not log in to the hub between 12:27 AM GMT+2 and 1:06 AM GMT+2 July 11th your data was never leaked
- Note we have sent an email to everyone* who logged in during this period
- If you did login in that time period there's a chance that other customers saw your personal info.
- We sent everyone that logged in in that time period an email to confirm whether they were part of the breach or not.
- Customers were only able to view other customers information, not do any edits like address changes.
Closing thoughts
It really sucks to see people’s information leaked like this through our systems. We put a lot of effort into developing systems that are safe and reliable, especially when it comes to personal data.
Over the years, our code base, system complexity, and team size have evolved significantly. In the past year we've made substantial improvements to our operating standards, logging capabilities, and deployment processes. These enabled us to respond quickly to this incident and gain clear insight into the timeline and affected users. Nevertheless, this situation serves as a clear reminder that we're responsible for sensitive data, and you should hold us to high standards.
Jeroen
CTO & Co-founder
*We have combined different data sources to get this list as complete as we can. It is possible we missed some people that logged in during this time period. Because of our logging settings this should be limited.

Comments