Security in Octo: Real Threat Examples and Best Protection Practices

Existing threats: a real case

Not long ago, several users contacted us with a case that clearly demonstrates several security configuration issues that can lead to losing control over profiles.

Attackers logged into several Octo user accounts and gained access to their profiles. During our investigation, we found out that:

• the accounts were logged into on the first attempt, meaning the attackers knew the passwords;

• none of the affected users had 2FA enabled;

• the affected users’ data was present in leaks from niche websites, which may have helped attackers identify which accounts to target.

The probability that attackers obtained passwords from the Octo database is zero, as we do not store passwords in plain text. This data is encrypted, and even the Octo team does not have access to it. The possibility of brute-forcing login credentials was also ruled out, as Octo’s security systems detect suspicious activity and reset passwords for users at risk. A breach via previously leaked data from a third-party service was also considered unlikely, as one of the affected users had changed their password after the leak was discovered.

The most likely tool used by attackers to gain access to accounts was a stealer program. Such malware programs are installed on a user’s device and steal login credentials for various services.

Conclusion: the most effective way to protect your data is to enable two-factor authentication. It significantly reduces the risk of security breaches, including attacks carried out with stealer malware. This applies not only to Octo, but to any other service as well.

The Octo team cannot protect users’ devices from stealer malware. However, at the level of service architecture and available security options, we have established protection measures against all possible attack vectors. Still, as the case above shows, this may not be enough. Let us break down what has already been done on the Octo side and where your direct involvement is required.

What we have already done to protect your profiles

• We ensure secure data storage. We use AES-256 encryption, one of the most secure encryption standards, used by government institutions, financial organizations, banks, and major companies.

• We encrypt profile data using multiple components: a secret key, a unique database key, and a user key if the profile has been password-protected. If an attacker does not have access to even one of these components, decrypting the profile is impossible.

• We implement brute-force protection. If there is a threat, we reset the user’s password.

• We continuously improve data protection as part of regular updates, e.g., moving to more advanced encryption methods and adding new security event monitoring processes.

What you should do first yourself

• Enable two-factor authentication. This simple step will protect you from most common threats. Also make sure to store your 2FA backup codes in a safe place in case you lose access to the device linked to 2FA.

• Ensure guaranteed access to the email address used to register your Octo account. Only through this email will you be able to change your password in case of a forced password reset.

What else you can do to increase your account security

• Use unique and complex passwords. This will not protect you from stealer malware by itself, but it is a good start.

• Check whether your data has been exposed in leaks. Most likely, it has. The most dangerous situation is when the leak comes from a niche resource whose users are more likely to use anti-detect browsers. In that case, attackers have everything they need to select you as a priority target and attempt to access your profiles using stolen data.

• Set passwords to your most important profiles. If you have profiles that allow fund withdrawals, it is best to protect them with an additional password. Octo conveniently offers this possibility. No one except you will know this password. This means attackers will not be able to access the profile even if they literally steal your device. Such a profile also cannot be transferred to another Octo account. However, be careful: if you forget or lose the profile password, it cannot be recovered.

• Configure access rights within your team. The human factor is the main cause of various issues, not only those related to Octo security. You can configure profile access rights for different team members using tags. If you need to revoke a team member’s access to certain profiles, you can easily do so in your account settings in the “Team” section. The team master can also completely delete a team member's account.