At 12:25 pm EST on April 14th, Highways was informed by the Pipedrive Marketplace Team that the Client Secret had been exposed via their Marketplace.

A Client Secret is used to authenticate apps, such as Highways, with a Pipedrive account. In general, this secret is never shared or known to anyone except the system that requires it for authentication.

At 2:00 pm EST on April 14th, Highways rotated our Client Secret and pushed this change to our production servers.

Was any data stolen? Is my Pipedrive account safe?

At this time, Highways has been informed by Pipedrive that no abuse has been reported of any client secrets. Highways has reviewed our logs and we are satisfied that no abuse or impersonation took place.

Do I need to do anything?

Yes, you will need to authenticate Highways by clicking here. This will reset your authentication with Highways and use our new Client Secret.

Summary of Statement from Pipedrive Marketplace Team

From [13.03.2020] to [06.04.2020] the client_secret was exposed within our Marketplace website, because of this, it is possible that it could have been leaked to third parties.

We have currently not logged any attempts of abuse, but are still investigating. The exposed client_secret has since been removed from the Marketplace’s code. The next course of action to avoid any potential abuse would be to change the client_secret for your app right away. 

To avoid any service interruption you will need to update your app with the new client_secret.

To reiterate, and this point there does not seem to be any attempt, successful or otherwise, to take advantage of this issue. We apologize for this incident and would like you to know that we are doing everything we can in order to understand the full impact (if any), and ensure it does not happen again in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *