Branchable's hosting provider, Linode, recently had its security compromised by an attacker.

So far we have no evidence that the attacker could have gotten access to Branchable due to this compromise. We're continuing to investigate, and if we do see any indication that our security could have been breached, we will immediately inform our users, and reinstall Branchable from secure backups.

We'll also be evaluating how Linode deals with this security breach going forward, and deciding whether to remain at this hosting provider.

While we have no reason to believe an attacker got into Branchable, this is a good time to review our security practices. As far as your own data stored at Branchable goes, there are basically three things to think about from a security perspective:

git repository security

The git repository that stores your site prevents an attacker from modifying a file without it being easily noticed. They would have to make a git commit with any malicious changes. If you have cloned your git repository to your own computer, you can examine this clone to verify your data at Branchable has not been tampered with.

Since your site's configuration is also stored in git, in the setup branch, git can also be used to verify that it has not been tampered with.

authentication security

We don't use passwords to control access to the Branchable control panel, or to your Branchable sites. We consider passwords a security hazard and like to avoid them whenever possible.

Some Branchable sites may be configured, by their owners, to allow users to log into them with passwords. This is not a default configuration. You can check if your site allows this by checking if it has the passwordauth plugin enabled in the Setup page. Sites that do use passwordauth do not store the passwords, but only a salted hash (using Eksblowfish). Any attacker who compromised Branchable would not be able to access the passwords of your site's users.

personally identifying information

A small amount of personally identifying information is stored about Branchable users. This includes the name and email of our customers. It also includes a few days of web access logs.


Once again, we have no reason to believe any attacker has compromised Branchable. If we see any indications of a compromise, we'll immediately let you know.