Keys dissapearing ... again ...Answered

Hello,

Once again, we're facing the issue I mentioned before in this topic : https://wyday.com/forum/t/29867/keys-dissapearing/

A client reported that while they were able to open the software this morning, they can no longer do so. Upon investigation, we found that their license had expired. The license key we created months ago with 5 activations, 'TRUP-5X4K-9Q4C-2GBC-AQD8-HBGS-HSTA', has disappeared from the LimeLM control panel.

Currently, we cannot find this license key in our panel.

Our account has 2FA enabled, our API is set to accept requests only from our own IP, we did not delete the license key and i am using a paid account.

This is the second time this has happened to us. Last time, more than 10 keys were deleted, and now we're investigating how many have been removed.

In short, I want to know what happened to this key. You mentioned before that you don't keep logs; I hope you're logging now.
TRUP-5X4K-9Q4C-2GBC-AQD8-HBGS-HSTA

Answer

You mentioned before that you don't keep logs

We keep logs for activity. We don't keep logs for user-actions like deleting keys whether by API or manually by a logged-in user.

  1. If you're having unusual activity, limit the amount of users to those you can trust.
  2. Rotate all API keys immediately.
  3. Move your API calling-code to a restricted machine with good logs.

#1 or #3 are likely the source of your problems (bad employee and/or compromised machines).

, edited

I don't want to argue to be honest, but I find it very strange that there is no logs available about what happened to the license key. I am quite certain that neither I nor my partner deleted the key.

We do not currently use the API to manage our licenses. However, we plan to implement your API soon in our portal, which operates on our local servers.

We trust you with the integrity of our licensing system and are integrating TurboActivate into our software. I believe you should also take responsibility and look into this matter.

May I also ask, what type of "activities" do you keep logs of? Why are actions like deleting or creating licenses not considered worthy enough to log?

To clarify:

1. I have two user accounts—one for myself and one for my partner.
2. I will.
3. The API calling code is running on our local company server.

, edited

May I also ask, what type of "activities" do you keep logs of?

Access to our systems from outside. I.e. regular use of our service and attempted hacks of our services.

Legitimate access (API keys, user behavior via logged-in user) is not logged (well, not logged in the way you’re hoping it’s logged).

, edited