A Recent Security Incident: How We’re Responding

To the Bonusly community, 

Security is a top priority for us at Bonusly. We build security into our systems, our processes, and our culture. We understand our customers and users are trusting us with their data and we take the responsibility of securing it extremely seriously.

We recently became aware that Bonusly has joined a growing list of companies over the last three days that are being impacted by security incidents. 

What happened

Most critically, Bonusly was not the original target of this incident, and none of our customer company or personal data has been stolen.

We have identified a bad actor that has used a number of compromised credentials exposed in third-party breaches to fraudulently access and redeem rewards within the Bonusly platform. We have assembled a list of compromised accounts, implemented technology to blocklist identified intruders, and are making additional security enhancements to address this specific incident. It is our understanding that law enforcement is aware of the broader suite of incidents and is investigating.  

What we're actively doing

We will be contacting any customer who is potentially at risk to communicate how to take additional actions to further protect your account. We will include instructions and suggestions on further security measures that can be taken by your organization and details on actions taken by Bonusly directly related to your account.

We have included updates to the Bonusly in-app experience, plus security tips you can take below if applicable. We will continue to update you with the utmost transparency.

For Bonusly Customers: In-app updates & how to secure your passwords

Here are some of the immediate actions that Bonusly is taking in response to this incident:

• Lowered a daily limit for reward redemption per user.

• Removed the ability for admins to adjust user balances.
  User balances can still be adjusted administratively by reaching out to your Bonusly CSM.
• Increased security and complexity requirements for passwords.
  For users who authenticate via web login (username and password), Bonusly uses an algorithm that analyzes the complexity of your password to ensure it is strong and unique. We have adjusted our algorithm to increase the required complexity. This means you will be required to have a stronger and safer password to protect your Bonusly account (and your Bonusly points!) from intruders. If you authenticate to Bonusly via SAML or SSO from other third party systems (Okta, GSuite, etc.), we strongly recommend the use of strong passwords and multifactor authentication (MFA) for those systems.

Here’s a list of our go-to tips for creating secure passwords:

• Never reuse passwords
• Use 2 factor authentication wherever possible (highly recommended)
• Use at least 15 characters for your password (the more, the better!)
• Use a mixture of both uppercase and lowercase letters
• Mix in letters and numbers, passphrases are the best!
• Include at least one special character
• Try to avoid using actual words from any language by themselves because they are easier to guess and decode (i.e., Burgundy)
• Consider using a password manager program to keep track of your passwords, which defeats a lot of standard hacking attempts

You can learn more about setting up MFA in our Help Center

We are committed to keeping Bonusly secure for all users, and we appreciate your partnership in making this happen. 

Raphael Crawford-Marks,
Founder & CEO, Bonusly