Several versions of 3CX’s desktop app have been affected by an attack on the vendor's product and larger supply chain.
The company is working with cybersecurity expert Mandiant to conduct a full-scale investigation and suggests customers use self-hosted and on-premise versions of its solution in the meantime.
The latest updates from Mandiant suggest that the breach may have gone undetected for several months.
“On March 29th, 3CX received reports from a third party of a malicious actor exploiting a vulnerability in our product,” writes CEO Nick Galea (pictured).
“Our highest priority is to be transparent in sharing details on what actions we are taking in response to this incident and what we know to date.”
The vendor is extending customers’ subscriptions by three months free of charge to compensate for the disruption.
Jamie Ward, CEO of major 3CX partner Gradwell, wrote on LinkedIn: “We are taking the security breach seriously and working with our customers to support them if they have been affected. Due to the way in which version upgrades are planned and then implemented by our technical engineers, Gradwell and our customers managed to avoid any meaningful disruption.
“It looks like this was state sponsored, and while it reflects badly on 3CX, let’s remember this could have happened to anyone. Much bigger names and institutions have been compromised in the past by bad actors. 3CX remain a key strategic partner of Gradwell and have our full support. It has been sad to see some of our competitors using this as a stick to beat 3CX (and us by association). Some of the behaviour has been shameful.”