PageFair breach disclosure

Here’s an example of how to timely detect and disclose a breach transparently.

Halloween Security Breach
By Sean Blanchfield

PageFair security breach has been resolved – here is what you need to know.

Update 1 – 21:30 GMT November 1, 2015

Core Facts

If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now. For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening.

The attack was sophisticated and specifically targeted against PageFair, but it is unacceptable that the hackers could gain access to any of our systems. We identified the breach immediately, but it still took over 80 minutes to fully shut it down.  During this time, visitors to websites owned by the publishers who have placed their trust in us were targeted by these hackers.

The damage was mitigated by our standard security practices, but the attackers still gained access.  I want to take some time here to describe exactly what happened, how it may have affected some of your visitors, and what we are doing to prevent this from ever happening again.

We will update this post as we establish more facts.


At 23:52 GMT last night (October 31, 2015) hackers succeeded in executing a spearphishing attack gaining access to a key email account.  The attackers then immediately performed a password reset to hijack PageFair’s account on a Content Distribution Network (CDN) service that we use to serve our analytics javascript tag. They modified the CDN settings so that instead of serving PageFair’s javascript, it served malicious javascript. This intentionally harmful javascript prompted visitors to install a fake Adobe Flash update, which appears to be a botnet trojan that targets Windows (more information on it is now available here). Although many virus scanners will have prevented this file from executing, others may not have been able to correctly detect it.

We noticed the security breach within 5 minutes, but it took until 01:15 (83 minutes) to fully rectify the situation. After this time visitors were no longer affected.

If you had the free PageFair Analytics code installed on your website yesterday, it is possible that some visitors to your website will have downloaded the malicious executable file. We are directly notifying every publisher who had our code deployed during this time.  If we do not reach out to you directly, it means that you were not affected.


The malware distributed by the malicious javascript is targeted only at Windows users, and is detected by many anti-virus programs. In addition, not all Windows users accessing your site during the affected period of 83 minutes will have been affected.  Due to caching rules, only visitors who had not been active on your site in the previous 120 minutes would have connected to the CDN.  Also, 33 minutes after the attack started we reconfigured our DNS settings to bypass the CDN entirely. This change began propagating immediately (with a TTL of 60 minutes), and would have prevented many users from ever connecting to the CDN during the attack period.  Finally, at 01:15 GMT, we deleted the CDN “pull zones” in our account, which immediately ended the attack. From that point forward, users were no longer affected.


There is no evidence or reason to believe that any core pagefair servers or databases were compromised. No publisher account information, passwords or personal information has been leaked.


  • For today, our priority has been to ensure that all systems are fully secure and that all company-wide passwords are reset.  This has been done.
  • Tomorrow we will audit the level of access to company documents that the hackers may have gained.  We do not store any Personally Identifiable Information in any system, but we will advise partners if we have reason to believe any sensitive documents may have been accessed.
  • We will analyze which security practices failed and which could be strengthened and adopted to prevent something like this from occurring in future.
  • We will continue to post mortem this for the remainder of the week, and will regularly update this post with our findings.

Thanks to our customers who were patient with us during this issue, The Media Trust Company, who worked hard to reach us during the issue, and MaxCDN for being available in real time to help lock the hackers out of our account.  We will have more updates tomorrow.

Please ask us any questions in the comments section below or feel free to reach out to us at [email protected]  We will respond to every single email and query that comes our way.  We will also be updating our Twitter account as we update this post.

About the author: Dissent

Comments are closed.