Incident report

  • February 4, 2021
  • 3 min read

Today, February 3rd 2021, at around 15:20 UTC, we became aware of a data breach on one of our test systems. We used the system to evaluate and benchmark possible solutions relating to the storage and management of the log data generated by our products and services.

Immediately after becoming aware of the breach, we took the affected system offline and started an investigation. We determined that the logged information contained no personal information whatsoever, except for 14 customer email addresses of 7 different organizations. While this number is small, we still believe it is the right thing to inform all our customers about the incident, how exactly it happened, and what we are planning to do in order to prevent similar incidents in the future.

What happened?

To evaluate future storage options for our log and event data, we set up several different databases and storage systems for benchmarking and evaluation. We seeded these systems with a subset of log records taken from production systems to better understand how the systems we were evaluating would perform given our exact usage scenario. Unfortunately, due to a configuration error, one of the databases was accessible to unauthorized third parties from January 18th 2021 to February 3rd 2021. We have reason to believe that at least one individual accessed some or all of the data contained within that database.

The stolen data in question consists of technical logs produced by our endpoint protection software during normal usage, such as update protocols, and generally does not contain any personal information like passwords, password hashes, user account names, billing information, addresses, or anything similar. However, as part of the investigation, we noticed that 14 customer email addresses were part of the scan logs due to detections of malicious emails stored in the users’ email clients.

Update February 4th 2021: The attack profile indicates that this was an automated attack and not specifically targeted at Emsisoft. Also, our traffic logs indicate that only parts of the affected database were accessed and not the entire database. However, due to technical limitations it’s impossible to determine exactly which data rows were accessed.

Steps we have taken

We immediately started an internal investigation. As previously noted, the type of log data which may have been accessed does not typically contain personal information. At no time did the exposed server provide access to our production systems or databases. Nevertheless, we have started a complete forensic analysis that we hope to finish within the next week. If any new findings arise, we will update this posting accordingly.

We have also reached out to the affected users whose emails were, unfortunately, part of the stolen logs, to apologize for this incident. If you have not received an email from us regarding the breach, you were not one of the 14 people whose email address may have been exposed during this incident. However, even if you haven’t received an email from us, please feel free to reach out to our customer support team should you have any questions.

Going Forward

As always, your privacy and the security of your data are our highest priority. We therefore immediately put multiple new policies in place to prevent any similar incidents:

As always, we continually assess our procedures and policies and seek new ways to improve our approach to security. We understand the importance of our role as guardians of your information and online safety and will continue to work every day to re-earn your trust.

Finally, we would like to offer our sincere apologies. This is incident should not have happened, and we are sorry that it did.

Thank you for your understanding.



Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next