For a couple of months now, line items are being automatically deleted in many of our debit notes, purchase invoices and delivery notes. Sometimes random new entries are being created without any manual input. Miscellaneous receipts and payment entries are also appearing in some of user accounts. We have been manually correcting them, assuming that it is human error but now it certainly appears that it isn’t.
Is there a logical explanation for this to happen? We use the Cloud version and have several users configured with varying permissions. None of the users (except the admin) have delete permissions for any function, so none of the entries are deleted. However, they are randomly created and updated, causing havoc and requiring hours of manual correction.
Sadly the problem is now so big (we have some 11000 odd items in our inventory) that we are considering alternative solutions. We hope we won’t have to switch.
Any help will be appreciated!
Welcome to the forum @funkyrainbow.com,
Unfortunately, I cannot reproduce your problem with the information provided.
You can demonstrate your problem with screenshots of the entries in question.
Make sure to include the history of these transactions which is the button on the bottom right of the view screen:
Not as you describe. Unless the transaction histories reveal anything, it seems to me access to your records has been hacked.
Thanks, @Tut and @Ealfardan . That has been our thinking as well, that the access has been compromised in some way. Is there a way of identifying the IP addresses from where the users login? All of our users access the cloud through known IP addresses at our location, so that might help us identify if there are ‘unknown actors’.
History reveals that certain users have updated the records, but on verification it doesn’t seem to be the case, hence the confusion. We had earlier deleted certain users and added new ones to see if the problem persists, and it does.
The attached screenshot is what the problem looks like.
This is what the history record shows for one of the affected Delivery Notes:
As you can see details are deleted en masse, sometimes at random.
Thank you for the help.
This is probably why you need to set strong passwords and change them regularly.
As for the IPs, I don’t think that that’s possible but, you can do the following:
- Go to users and
Impersonate each restricted user
- Click on the username at the top nav where you should see all active sessions:
- You log them all out.
For administrator accounts, you need to change the passwords, log in to them one by one and close all their sessions.
Also, I’d delete all unused accounts. Their history records will remain but the access is now completely gone.
PIC 1: Focus on Delivery Note #14
PIC 2: Delivery Note #14
PIC 3: History for Note #14
The history records only one user as having created and modified the record. But the user confirms that the deletions weren’t deliberate.
@Ealfardan we have done the logging out a few times recently, and have created new users a few times as well, but the problem has remained. Is there a possibility of the machine being compromised, say by a virus?
Thanks for all the help again.
If the deletions and creation do not appear in the history, it’s quite possible that the transaction has been undone using history.
Another thing I’d look into is check if there’s been any batch updates, batch creations or batch deletions.
The changes do appear in the history (as per screenshot in the earlier reply). No changes were undone using history though.
A somewhat delicate question: Do we have to consider sabotage as an explanation if there’s nothing wrong technically?
You actually could not tell that from the History file. When something is undone in either the main History file or the subsidiary History list for a transaction, it is as though it never occurred. So, let’s say someone maliciously changed a transaction, then went to the History file and undid the change. There would be no record. But the change would also no longer be affecting the transaction. This is different from a deletion, which would show in History.
The fact that these problems show up in History means the program is functioning as designed. (The imperfection of detecting unauthorized use of Undo is a different issue.) Someone is entering these changes. The question is who. Have you filtered by user? (The first of the dropdown filter menus at the top of the History list.) Although the user is listed in the History file listing, you might see patterns related to the affected transactions if you examined each user’s history in isolation.
Yes! That’s what I originally meant by your being hacked.
We had indeed filtered by user to see if we notice patterns, all we could tell at the time was that there was a series of such random activities at a certain time of day. The pattern has stopped now, and the damage has become difficult to spot (records related to previous months being deleted/modified etc). Our original diagnosis was that someone was actively disrupting the system. Glad to hear that it isn’t bug or system glitch.
Thanks a lot, @Tut you have been a great help.
I do not know the answer to your question, @compuit. And I am not the developer. So MFA is not up to me.
That really sounds suspicious, lending more weight to the idea of active sabotage.