Security Advisory: Unauthorized Access via Credential Stuffing

Update timeline

1. investigating Apr 15, 2026, 02:27 PM UTC

   We are currently investigating reports of unauthorized access to a small number of Pantheon customer accounts. Our evidence suggests these accounts were accessed using credentials stolen from external third-party data breaches (unrelated to Pantheon). This technique, known as "credential stuffing," relies on reused passwords. Required Actions for All Customers • Audit Your Sites: Check for unexpected code or file modifications. If you find any suspicious changes, contact Pantheon Support immediately. • Enable MFA (High Priority): Multi-factor authentication is your best defense against password theft. • Enable MFA here: https://docs.pantheon.io/guides/account-mgmt/account/mfa • Update Your Password: If you use your Pantheon password on any other site, change it immediately to a unique, strong passphrase. Next Steps: We are continuing our investigation and will provide further updates as more information becomes available.

2. resolved Apr 16, 2026, 08:30 PM UTC

   Final Update: We have concluded our investigation into the reports of unauthorized account access. Our team has worked directly with the small number of affected customers to secure their accounts and remediate any unauthorized changes. Monitoring & Conclusion: We have seen no further evidence of unauthorized activity related to this incident. Our systems remain secure, and we continue to monitor for suspicious login patterns. Ongoing Security Best Practices: While this incident is resolved, credential stuffing remains a common web-wide threat. To keep your account secure, we strongly recommend: • Enabling MFA on all Pantheon user accounts. • Using unique passwords managed via a password manager. • Rotating secrets/keys if you suspect your local environment has been compromised. Thank you for your patience as we worked to keep the Pantheon community secure.