Forced Password Reset on all bgp.tools accounts
During an audit on some of the TLS functions of bgp.tools, a flaw was uncovered that resulted in reduced security for some TLS/HTTPS connections to the bgp.tools website. This has prompted us to reset all impacted passwords.
Despite this security issue, the risk of plaintext being exploited is expected to be extremely low. However, because such an attack would be difficult to detect, we are forcing all bgp.tools passwords to be changed out of an abundance of caution (to clear any persistent risk that might have been caused by this issue).
Keep in mind that we believe it to be extremely unlikely that any data has been exposed at all, however since it is not possible to ensure an attack was not performed, we are resetting all passwords impacted.
Anything that you could see (or send) on the bgp.tools website could have been impacted. In practice, the only sensitive data that we believe was at risk is:
Payment credentials are managed by our card processor, they are unimpacted by this issue.
We would like to apologise for the inconvenience of doing this. This flaw was uncovered during some clean up work in preparation for bgp.tools to process more sensitive data in the near future.
We would also like to take a moment to also confirm that the databases that run bgp.tools are safe and have not been dumped/compromised as part of this incident.
Payment credentials are not part of the bgp.tools database at all, as they are managed by Stripe at this time.