August 4 Security Incident
On August 4th, 2015, we reset all of our customers’ passwords and emailed them a password reset link to create a new one. Your account security is extremely important, which is why we acted quickly to reset all customer passwords.
Over the past few days, we’ve continued to investigate and we now have further details to share.
- On Tuesday, August 4, we detected unauthorized access into one of the systems at Hover. The unauthorized access took place during a period of approximately 15 minutes.
- An administrative area of Hover was accessed using valid administrative credentials acquired by the person or persons accessing the system.
- We immediately blocked access to the administrative area and have since made changes to prevent unauthorized access from happening again, even with valid credentials.
- As we consider any unauthorized access to our systems to be a compromise of data, we promptly reset all Hover customer passwords and notified all customers via email.
Our team of developers, security experts and support staff have worked around the clock since the incident occurred. This incident has caused us to scrutinize, test, and improve all Hover processes, ranging from tightened access controls to systems design.
We appreciate your patience and cooperation while we worked through this issue.
There are further measures you can take to keep your account even more secure, which we encourage you to do.
Use A Unique & Complex Password
Use a unique and complex password and never reuse passwords for different services. A good password is at least 12 characters long and consists of different letters (a mixture of upper and lower case), numbers and symbols. A password manager like 1Password or LastPass will allow you to easily generate great passwords and securely store them so you don’t need to remember them all.
Use Two-Factor Authentication
With two-factor authentication, you will add an additional step required to access your account. After entering your password when logging in, you will be prompted to provide a unique and time-sensitive code accessed via your mobile device. This keeps your account safe even if someone accesses your password. For instructions on how to set this up, see our two-factor authentication article.
Frequency Asked Questions
How do I access my account?
Visit https://www.hover.com/signin/forgot_password to choose a new Hover account password. If you’ve already done that, no further action is needed.
Was my Hover account accessed?
There is no evidence that any Hover accounts have been accessed.
Was my financial/payment information accessed?
There is no evidence that any financial/payment information has been accessed.
How are passwords secured?
All account passwords are encrypted using industry-standard, high encryption (bcrypt). Additionally, we never send lost passwords. To reset a password, customers must use a password reset link and email, which contains a time-limited encrypted token.