We recently learned that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information -- specifically name, email address, telephone number, city location and Elance login information (passwords were protected with encryption). This incident did NOT involve any credit card, bank account, social security or tax ID numbers.
We have remedied the cause of the breach and are working with appropriate authorities. We have also implemented additional security measures and have strengthened password requirements to protect all of our users.
We sincerely regret any inconvenience or disruption this may cause.
 
 
Questions and Answers

What information was compromised?  
The hackers accessed a user data table that contained contact information including name, email address, telephone number, city location, and login information (passwords were protected with encryption). The table that was attacked contained no personal financial information such as credit card, bank account, social security or tax ID numbers.

Should I change my password now?
Yes. In fact, as of Friday, July 17, Elance is now requiring all users to reset their passwords for protection. When you log-in, you'll be prompted to follow a link sent to you at the email address we have on record for you. Remember, it is always a good idea to maintain unique passwords for each website you use. More info here.

Were SSN, credit card or bank details stolen?
No. This incident did not involve any credit card, bank account, social security or tax ID numbers. That information is kept in a different place for extra protection, and it is encrypted to ensure that it is unreadable without the secure encryption key.

How did this happen?
Hackers exploited an unknown security hole and were able to access the table in our database that stores Elance user data including name, email address, phone number, city location, and log-in information (passwords were protected with encryption).

Elance employs third-party security monitoring systems to protect user data, but one of those third-party systems failed to flag this security hole. The vendor has acknowledged the error and subsequently patched their product. We’ve in turn applied our own patches, and have taken steps to prevent this from happening again. Sensitive personal information (bank information, credit card, social security or tax ID number) was not accessed by this attack.

What is Elance doing about it?
We have taken a ‘drop-everything’ approach to this security breach in an effort to react as swiftly and decisively as possible. Here’s what we’ve done so far:

• Openly communicated with all affected parties via email, the Elance blog, our Twitter feed, and via our Trust & Safety center on Elance.com to alert all parties of the security breach
• Strengthened our password requirements and forced password changes to ensure that all Elance users have their accounts protected by “strong” passwords
• Communicated openly with TRUSTe who act as an industry watch-dog for security breaches online to validate our response to this
• Closed the recently identified security hole by releasing updated code on Elance
• Collaborated with our 3rd party security audit service to ensure that they now can identify this particular security hole in all cases
• Worked with authorities to take down sites that are unlawfully exposing any user information

What do I need to do?
As of Friday, July 17, Elance is now requiring all Elance users to reset their passwords for protection. When you log-in, you'll be prompted to follow a link sent to you at the email address we have on record for you. Meanwhile, remember to remain being vigilant about protecting your own personal information. Never give passwords out over the telephone or in email.

Will I start receiving unwanted solicitations (spam)?
Unfortunately, this is possible. We’ve received reports of both unwanted email and in some cases unwanted SMS solicitations. Because you’ll likely receive these notices, it’s important that you use caution when responding to email, and if you’re ever unsure about an email, it’s a good idea to avoid clicking on links there, and instead open up a browser and type in the URL to start a new session.

Is my information being made public on the Internet?
Some user information has been reported to be appearing on OutsourcingRoom.com. We are working with authorities to prevent their unauthorized use of this data.
 
 
If you have a specific question, please contact Elance by email at support@elance.com, and we will do our best to respond as quickly as possible with any new information.