IMPORTANT NOTICE: Unusual Reckon Accounts Hosted activity detected

Rav
Rav Administrator, Reckon Staff Posts: 16,418 Reckon Community Manager Community Manager
edited January 2023 in Accounts Hosted

IMPORTANT NOTICE

Unusual Reckon Accounts Hosted activity detected

Please be advised that we have recently identified a number of suspicious login attempts on the Reckon Accounts Hosted login page. These attempted logins occurred on the 27th of December to the 9th of January 2023 and were using randomly generated UserID and Password combinations.


As soon as the irregular activity was detected, we took action to block these attempts and started an immediate investigation.


Based on all the information we currently have, we believe that there were no successful logins, and no client data was compromised.


While our investigation is not yet complete, and has taken until today to get a better sense of what happened, we wanted our customers to be aware of what has happened as soon as possible so they can ensure they are vigilant about the security of their data.


What you can do:

  • Ensure you have a robust password or passphrase set on your Reckon Hosted User account. For more information on passphrases click here. For information on changing your Reckon Accounts Hosted User password click here
  • Create unique, complex passwords on each of your QBW data files. For information on how to set up users and passwords on your QBW file, log into your data file and open the Passwords: Adding Help File.
  • Contact Reckon if you have noticed any unusual activity within your Reckon Accounts Hosted account or Reckon Accounts company file(s) since the 27th of December.


What Reckon are doing:

  • We have taken immediate steps to block the attempted logins.
  • We will be making improvements to the way Reckon Accounts Hosted passwords are handled in the immediate future.
  • We will continue to enhance and improve the overall security and monitoring of the Reckon Accounts Hosted environment.
  • We are continuing our investigation and will notify and work with the relevant authorities where required.


Further updates will be made in this thread as they come to hand and if you have any questions please feel free to reply below.

Comments

  • Rachael Hodgen
    Rachael Hodgen Member Posts: 3 Reckoner Reckoner

    I have received 2 emails today from Reckon regarding these login attempts. One says my User ID was used and one doesn't state that it was. As several clients use my email address for Reckon communications how do I determine which User ID was used?

  • John Graetz
    John Graetz Member Posts: 1,655 Reckon Star Reckon Star
    edited January 2023

    I was another who received a similar email, stating that access attempts had been made using my User ID. One wonders how somebody could get hold of my User ID. Then I recalled that five weeks ago, I became aware that a data breach had occurred at the ATO and MyGov and that data was being sold on the black market. So it is possible that my MyGov details were obtained from this source, because that is the same way that I process STP lodgments. The following information was reported as having come from ABC News on 28/11/2022:

    "MyGov and ATO services are built with two-factor authentication, which protects accounts with compromised usernames and passwords, but those same login details could be used as a means to bypass less-secure services."

    An obvious less secure service has the potential to be Reckon Hosted (there is no two-factor authentication involved with a login), although Reckon apparently have means to detect any such attempts. So, I decided to immediately change my password details.

    A short while later, I did receive an email from Reckon, signed by Sam Allert, Managing Director, stating that my password had been changed. What did greatly concern me about this though, was that this email also decided to detail what my new password was. My opinion is that using an email to quote back to me my new password, is not a very secure method of doing so, unless of course, that email was encrypted. I have nothing to support an contention that this email was other than something which could be easily intercepted and read but somebody who should not be seeing it. Are you able to comment about this, please, Rav? John L G

  • Laurelle Searle
    Laurelle Searle Member Posts: 14 Reckoner Reckoner

    What do I need to do to make sure that my file is not accessible to the current attack.

    Is it possible to put dual authentication in to place as I have my gov etc.

  • This content has been removed.
  • This content has been removed.
  • Rav
    Rav Administrator, Reckon Staff Posts: 16,418 Reckon Community Manager Community Manager

    Apologies for my delay in getting back to you both.


    @Rachael Hodgen

    I believe Andrew from our Partner team has already been in touch for a chat just to clarify what happened there. Apologies for the confusion those multiple emails caused.


    @John Graetz

    I was another who received a similar email, stating that access attempts had been made using my User ID. One wonders how somebody could get hold of my User ID.

    Our investigations are continuing into this however from what we understand so far, the attempts were made using random combination attempts ie. multiple randomised attempts as opposed to specific information being obtained.


    What did greatly concern me about this though, was that this email also decided to detail what my new password was. My opinion is that using an email to quote back to me my new password, is not a very secure method of doing so, unless of course, that email was encrypted.

    In regard to the above, its a good point you make and to that end I'm happy to advise there has been active development work in this area just prior to Christmas which we're aiming to rollout to Reckon Accounts Hosted very soon to both enhance and tighten the password reset process.

    Andrew will also be giving you a buzz later this afternoon for a chat as well.

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,418 Reckon Community Manager Community Manager
    edited January 2023

    📢 UPDATE - 8 January 📢

    Hi everyone

    If you're logging into Reckon Accounts Hosted today you may notice you're landing on a Human Verification authentication page prior to reaching the usual Reckon Accounts Hosted login screen.

    We've introduced this to the login process as an added security measure for our Reckon Accounts Hosted users while our investigation into the unusual login activity continues.


    The verification page will ask you to perform a quick and easy authentication task such as solving a simple shape puzzle using the slider on-screen or placing a dot to complete the path, check out the screen recording below for examples.



    Once you have successfully completed the verification you will be taken to the regular Reckon Accounts Hosted login screen for you to login as normal and access your file.


    If you have any questions please reply with a comment below and we're more than happy to assist.

    ____________________________________________________

    Update - 8 Jan 3:18pm

    Just a further update to the post above regarding the 'Human Verification' authentication. This step is now targeted and should not appear for most users.

    We are continuing to perform investigative work into this and further information will be posted to this thread as soon as possible.

  • This content has been removed.
  • Rav
    Rav Administrator, Reckon Staff Posts: 16,418 Reckon Community Manager Community Manager

    Hi again everyone

    Just a further update to my previous post above regarding the 'Human Verification' authentication. This step is now targeted and should not appear for most users.

    We are continuing to perform investigative work into this and further information will be posted to this thread as soon as possible.