Actions Following Suspected Account Compromise

If you suspect unauthorized activity related to your Adyen account, you should take the following actions:

Ensure you have regained control

For all of the following steps, you must be sure you're in control of the compromised accounts again. For example, sending a Reset password link to a mailbox that an attacker still compromises will not provide the desired result. Similarly, changing API keys while an attacker still has access to your Customer Area and can add or replace the API again also does not help.

Secure User Access to Customer Area:

• Deactivate Users: If any user accounts are suspicious or no longer needed, deactivate them via Settings > Users > select user > Deactivate user.
• Reset User Passwords: As an administrator, navigate to Settings > Users in your Customer Area. Select the user(s) you believe may be affected or require a password update. Choose the Send password reset option. The user will receive an email with a link (valid for 24 hours) to create a new password.

Review User Roles: Check the permissions assigned to users. Review the Roles section in the user details page (Settings > Users > select user) and adjust permissions as necessary.

Secure API Access:

• Generate New API Credentials: Access your Customer Area and navigate to Developers > API Credentials. Create new API credentials (either a new API key or generate a new Basic Authentication password, depending on your integration). Store these new credentials securely.
• Deactivate Old Credentials: Deactivate the potentially compromised API key(s) or Basic Authentication credential(s). 
• Review Permissions: While managing API credentials, review the assigned Roles and ensure they grant only the necessary permissions.
• Consider IP Restrictions: For added security, add allowed IP addresses to your API credentials to restrict where requests can originate.

Secure Webhook Communications:

• Generate New HMAC Key(s): If you use webhooks secured with HMAC keys, these may need regeneration. Go to Developers > Webhooks in your Customer Area. Select the webhook configuration to update and choose the edit option. Under Security, use the option to Generate a new HMAC key.
• Update Your System: Copy the newly generated HMAC key and store it securely in your system responsible for verifying incoming webhooks.
• Handle Key Transition: It takes time for the new key to propagate. Your system should be prepared to validate webhooks signed with the previous key shortly after generating the new one, as queued webhooks might still use the old signature.

These steps, derived from the provided documentation links, focus on resetting potentially compromised credentials (API, HMAC) and managing user access/passwords for the Customer Area.

For more information, please visit our documentation:

• API credentials
• HMAC configuration
• User credentials