Incident Report: Spambot Attack (2 July 2021)

What happened?
Around 12:00 UTC 2 July 2021, P2PU was subject to a spambot attack that created 12,800 accounts using email addresses from third party spam registries. (These email addresses were not related to our organization and P2PU’s database was not compromised.) Each of those new accounts received an email asking them to confirm their email address.

An additional 3,123 email addresses were registered as participants to a legitimate learning circle that we believe was randomly selected. All of these addresses received an email saying that they had been added to the learning circle. The learning circle facilitator was also CC’d on these messages. In total, about 16,000 emails were delivered. All learning circle signups and account signups came through 2 VPN IP addresses.

How was it detected?
P2PU received ~100 emails, either bouncebacks or replies from real people who received a message asking them to confirm their account. Additionally, the affected facilitator reached out via both the Community forum and the Support page.

Short-term mitigation:
Within two hours: Account creation was temporarily suspended sitewide and our automated email messaging was paused to stop the attack. Once we had determined what happened, the new accounts/registrations and all associated data were deleted from our database. We followed up privately with the affected facilitator and are manually replying to any messages that come from those who were impacted.

Long-term mitigation:
Incidents like this are exceedingly rare for P2PU. We have now implemented several backstops to prevent automated spam attacks in the future including rate limiting, registration CAPTCHAs, and spam filtering. We are in the process of updating our human-powered moderation policies to check for edge cases that slip by automated protections.

If you have further questions, please feel free to reply below or email us at thepeople[at]p2pu[.]org.