- Resetting all passwords and regenerating API keys (e.g., for Notion, SendGrid, Hetzner).
- Deactivating all user accounts, restricting access to a minimal number of administrators with mandatory two-factor authentication (2FA).
- Initiating a forensic investigation.
Root cause analysis (October 5, Update #2) - Access the integrated automation platform (n8n).
- Retrieve an unrestricted API key for the internal Notion knowledge base, which contained infrastructure documentation and credentials.
- Use the compromised information to escalate access further and send emails from an internal account.
The company stated that internal processes and control mechanisms failed and accepted full responsibility for the incident. - Scope: The core Localmind platform was not compromised. The attack was confined to administrative interfaces and test environments. A limited number of customer systems were accessed, while on-premise instances showed no signs of unauthorized access.
- Forensics: Unauthorized logins were traced to IP addresses from VPN providers, complicating attribution. Login activity occurred outside regular business hours (nights, weekends). As of October 8, no evidence of large-scale data exfiltration was found.
- Data transparency: Localmind offered data exports to customers to conduct their own audits for potential GDPR breach notifications.
Remediation and security hardening measures 1. New infrastructure: A migration of virtual machines to new, Tier IV, ISO 27001/27018 certified data centers with a fully isolated infrastructure was nearly complete as of October 8. Systems are being rebuilt from clean data volumes (e.g., Docker volumes) onto new, hardened hosts.
2. Access security:
- Implementation of an F5 Web Application Firewall (WAF) with pre-authentication for each customer instance.
- Mandatory two-factor authentication (2FA) for all application logins.
- Deployment of the Wazuh security agent for centralized login monitoring and anomaly detection.
- All previous service accounts and credentials within automation workflows were deleted, requiring a re-issue.
3. Automation restriction: Critical automation nodes in n8n (e.g., Execute Command, Read/Write File to Disk) were disabled and will be unavailable in cloud environments going forward.
4. Enhanced monitoring: Additional security agents were deployed for endpoint security, configuration assessment, file integrity monitoring, and threat intelligence.
5. Process change: Each customer instance undergoes a manual audit and documentation before restart, with the audit protocol provided to the customer.
Subsequent Attack Attempt (October 9)