A routine bug bounty submission triggered a deep investigation at a digital signage company and revealed how strong processes guide fast, measured incident response. The discussion highlights what transparency looks like in practice and why passwordless authentication is becoming central to reducing credential driven risks.
This episode focuses on a security incident that prompts an honest discussion about transparency, preparedness, and the importance of strong processes. Sean Martin speaks with Viktor Petersson, Founder and CEO of Screenly, who shares how his team approaches digital signage security and how a recent alert from their bug bounty program helped validate the strength of their culture and workflows.
Screenly provides a secure digital signage platform used by organizations that care deeply about device integrity, uptime, and lifecycle management. Healthcare facilities, financial services, and even NASA rely on these displays, which makes the security posture supporting them a priority. Viktor outlines why security functions best when embedded into culture rather than treated as a compliance checkbox. His team actively invests in continuous testing, including a structured bug bounty program that generates a steady flow of findings.
The conversation centers on a real event: a report claiming that more than a thousand user accounts appeared in a public leak repository. Instead of assuming the worst or dismissing the claim, the team mobilized within hours. They validated the dataset, built correlation tooling, analyzed how many records were legitimate, and immediately reset affected accounts. Once they ruled out a breach of their systems, they traced the issue to compromised end user devices associated with previously known credential harvesting incidents.
This scenario demonstrates how a strong internal process helps guide the team through verification, containment, and communication. Viktor emphasizes that optional security features only work when customers use them, which is why Screenly is moving to passwordless authentication using magic links. Removing passwords eliminates the attack vector entirely, improving security for customers without adding friction.
For listeners, this episode offers a clear look at what rapid response discipline looks like, how bug bounty reports can add meaningful value, and why passwordless authentication is becoming a practical way forward for SaaS platforms. It is a timely reminder that transparency builds trust, and security culture determines how confidently a team can navigate unexpected events.
Learn more about Screenly: https://itspm.ag/screenly1o
Note: This story contains promotional content. Learn more.
GUEST
Viktor Petersson, Co-founder of Screenly | On LinkedIn: https://www.linkedin.com/in/vpetersson/
RESOURCES
Learn more and catch more stories from Screenly: https://www.itspmagazine.com/directory/screenly
LinkedIn Post: https://www.linkedin.com/posts/vpetersson_screenly-security-incident-response-how-activity-7393741638918971392-otkk
Blog: Security Incident Response: How We Investigated a Data Leak and What We're Doing Next: https://www.screenly.io/blog/2025/11/10/security-incident-response-magic-links/
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Spotlight Brand Story: https://www.studioc60.com/content-creation#spotlight
Keywords: sean martin, marco ciappelli, viktor petersson, security, authentication, bugbounty, signage, incidentresponse, breaches, cybersecurity, brand story, brand marketing, marketing podcast, brand story podcast, brand spotlight
[00:00:00]
[00:00:22] Sean Martin: Hello everybody. You're very welcome to a new brand story here on ITSP magazine. And, uh, this is where we get a chance to talk to founders of companies, uh, developers of products, and, uh, deliver deliverers of service that, uh, hopefully at some point help the business grow and do so safely. So we wanted, we want business to generate revenue and, and, uh.
Do it in a way that, uh, makes sense. Of course, we, we often look at new technologies as well. And today I'm thrilled to have Viktor on from Screenly. Viktor, how are you?
[00:00:59] Viktor Petersson: Good. How are you, Sean?[00:01:00]
[00:01:00] Sean Martin: Doing great. Doing great. Uh, great to connect, uh, remotely here. We saw each other in, in Black hat not too long ago. And, and, uh, we had a good chat there, uh, about all kinds of things in including bug bounties and vulnerability management and, and.
I think, uh, I, I wanna start by saying this first. kudos to you and, and the Screenly team for, uh, being so open about what the, the topic we're gonna talk about today. A lot of organizations try to stick their head in the sand and kind of shove, shove the story aside, um, that doesn't build trust, which this particular industry needs, uh, needs to build.
And, uh, so I'm grateful for you to, to share this story. Of course, you wrote it up so we'll link to, uh, your LinkedIn post and your blog so people can get all the nitty gritty details we don't cover today. Um. So we're gonna get into that event and how you handled it in a moment. Um, first a brief word about you and then maybe kinda the elevator pitch of what Screen Lee is and what you're [00:02:00] trying to solve.
[00:02:01] Viktor Petersson: Yeah, sure. So screen is a secure digital signage platform, and that's really is the fancy word for, uh, display management and. What we as basically help customers do is to display content on screens in their offices or at the public. We make sure that devices are secure, updated, and we take up the whole life cycle.
Um, and that's really what we do. We make content management easy for screens.
[00:02:27] Sean Martin: And, uh, gimme an example of. Where that matters. I can picture hospitals, right. Where
[00:02:34] Viktor Petersson: Yeah, MI Healthcare is a big customer base, uh, fortune 500. Like, uh, we have customers like NASA trusting us for their signage. Um, so basically financial services being not a big one, but basically the big picture is that companies that care about security, that there are plenty of options out there for signage.
Um, a lot of them. Don't really prioritize security, and I think we're gonna dive into what actually it means to [00:03:00] prioritize security in this little episode here. Right? But we, we really like security is our DNA stunned afterthought. A lot of people, uh, they flashed their badges, their SOC two, their iso and yada yada.
We spoke of this before. It doesn't actually mean that you're secure. It just means that you passed a series of check boxes. Um, security is a culture problem. We've prioritized that. We have built security in that culture, and I think today is really like. The manifestation of that really? So I think that really sells apart.
[00:03:28] Sean Martin: Yep. And se security isn't, uh, binary either. It's not on or off. Uh, it's not a hundred percent or,
[00:03:35] Viktor Petersson: And it's never done.
[00:03:35] Sean Martin: it could be zero I guess, but, but it's some, it's usually some, some number in between there and organizations. Some better than others, do their best to get it as close to a hundred percent as possible, but things happen.
And, uh, that's what we're gonna talk about today. So what, um. What, what transpired? Uh, I think it was a little over a week ago now that this, this occurred, what, what transpired and, [00:04:00] and how, how were you alerted to maybe give us a big picture of, of what happened?
[00:04:04] Viktor Petersson: Yeah, so, so we, we introduced our Bug Bounty program about two months ago, I think, which has been, I, I would say great success, and I would encourage other people to do that as well. We've had. We've done numerous pen tests over the years, uh, and we found things in pen tests. We fixed things in pen tests, but a bug belt program is a fantastic way to get like a continuous flow of pen testing essentially.
And, uh, uh, so we've had some great findings there, but the particular that you're referring to happened last Sunday, so I think 7:00 PM uh, roughly, uh, central European time or tuc actually, we got, uh. Email in our Bug Bounty program, uh, where somebody claimed that a large data set of our customers data were in one of these public leak sites.
So presumably then scrape from some, um, forum presumably, and then aggregated up to this site and. [00:05:00] That by itself is probably enough to, uh, scare any CTO or CEO, uh, a lot. Right? So at kudos to our team, we jumped from that right away. We, um, began our investigation at 9:00 PM uh, so two, two hours after this landed on a Sunday night.
Mind you, uh, our investigation was already underway and we, uh. Start to validate the data because you have to assume that it might be real, but it also might be just completely fake, right? Uh, and the data quality of leaks tend to vary a lot. Um, so we started investigating this in kinda a clean room environment.
Uh, going through data, first of all, asking the question like, does it even make sense, right? Does this actually, is this, is this our data? Is this from our data at all? And, um, we spot checked a few things, uh, and we, we wrote to find at least a few correlations, a few. Accounts that were in our system and uh, uh, that was enough then to like escalate this.
And like this was, went from like, oh, this is [00:06:00] just a, uh, a bogus report to actually, this is a real report. We obviously, we can't make a judgment call on that until we actually verified or, or invalidated the data. Uh, so we, we, um, quickly compare the dataset that we got reported. Uh, we wrote some custom tooling to correlate that dataset with our.
Real customer dataset, uh, or correlated with our data. And, uh, the initial dump was about 1400 users, which mind you is, is less than a percent of our user, right? It's like a zero point something percent of our users. So it's by no means a whole data dump, which would be devastating. Uh, but it was big enough number that it's scary.
So we started analyzing this and we found that, um, I think about. 200 of the initial 1400 ended up being used in our system. And, uh, as with most of these day-to-day data leaks, they were, they were lot duplicate. So [00:07:00] after we've gone through a de-duplicate the list that we'd gone through and, and sorted and compared to our dataset, I think we found about 200 users that.
Ended up in our system. Right? So 228 of of these existed in our actual system. Um, so, okay, now we went from 1400 to 228, uh, which is alright. Still a big enough number. Uh, it's not to be sniffed at, right? It's, it's big enough number that is, makes you concerned. Um, um, what we did right away was essentially.
Do a password reset all those accounts so that we basically violated, uh, well, we nullified, uh, the extent of the leak, right? So anybody who download list, they will be of no use anymore. Um, so that we did that within, uh, I believe two hours of, of the getting it reported. We had reset all the user accounts on a Sunday night to, to basically removed the attack vector that is this leak, right?
Um, and then we started diving more into the data data, right? And we, we found that. Only 41 out of the [00:08:00] 228 account, we verified, uh, were actually had any activity in the last year. So that means that if you're looking at potential attack vectors where this data could come from, uh, that's an important variable, right?
'cause if it's, if it's something that happened, uh. If all the accounts were either created or activity around the same time period, you could deduct some pattern, but we found no pattern whatsoever in the data as we looked at like lost login and, and various activity data. And then perhaps more importantly, only five out of those 41 were actually paying users.
So there were a lot of like older users that had, are not paying users or not having an actual active account. But um, that was not a very important variable there. Um. But that, that was the start of the investigation on Sunday and we, we started to get kind of that, that calmed your nerves a little bit right when you started like dial that.
[00:08:53] Sean Martin: First thing that comes to mind for me is, uh. How were there attributes in [00:09:00] the data set that linked them to Screenly? Because I, one thing I could think is, here's a bunch of data. I'm just gonna go to any company and say, we found your data right? And
[00:09:10] Viktor Petersson: Right.
[00:09:11] Sean Martin: a, there's a chance that there's gonna be some, some overlap, right?
If it's a tech company and da da da da. So what, what, what were your thoughts on that?
[00:09:19] Viktor Petersson: yeah. That's why we're looking at patterns, right? Uh, see if there was some kind of pattern with all these accounts, uh, but there's, there's no way for us to really, uh, tell that apart, right? If, if, yeah, you're absolutely right. I, I guess the percentage of the, if, if the account list was. 10,000 accounts and, and a hundred of those were real eye users.
I guess that supports your argument more so. Uh, so absolutely there is something that we look at, but the, the, the real, real accounts to the whole list is, is a key indicator of, of such, uh, attack right. Or such, uh, scenario rather, I guess. Um, so that, that was something that we looked at. Yeah.[00:10:00]
[00:10:00] Sean Martin: So talk to me a bit about your, your bug bounty. Um. Because I think my, my joke and I actually had Casey Ellis on, uh, the other day, is that everybody's running a bug bounty. Whether they know a public bug bounty, whether they know it or not, right?
[00:10:15] Viktor Petersson: This is
[00:10:15] Sean Martin: Because anybody can hit the site and, and find stuff.
But, uh, you actually have, uh, a policy in place and a program running that says, here's the scope. Here are the things we wanna want you to find. And so tell me a little bit about that and, and the value of that generally, um, perhaps surrounding this as well.
[00:10:33] Viktor Petersson: Yeah, I mean, I think the, the scope is very important. I mean, you need to define rules of engagement and that same thing with any, if you engage with a professional pen tester, you tend to always, uh, define the barriers or the security parameters. What's, what's in scope and what's outta scope. I think it's important to have that as probably backbone to program, because just because it's on your domain doesn't mean that it's in scope, right?
'cause that could be a third party service or that could be something else that is not entirely like in, within your control, right? So, [00:11:00] um. We've defined the scope for our web app, largely speaking, uh, as the scope for our bug belt program. Uh, and then we've, um, narrowed down from there and we have taken the standardized procedures of like, we have a secure txt, which has our PT P keys, which you want to report something severe.
We have an inbox that is monitored about more than one person. Uh, all those things are part of the program so that we have a system and we, we've written a lot of internal tooling because. It's a bit of tidal wave, uh, when you open a bug bundle program. Uh, we have received way more reports we anticipated, and it's the one thing that's important to stress here is that managing a bug bundle program is not free.
It's very expensive in labor. Um, whilst you do get a lot of interesting reports, you also do get a lot of, uh, garbage, uh, in particular in the error age of ai. Uh, a lot of copy and paste things that don't even make sense, but you can't need, you need a human to screen that, and that's expensive.[00:12:00]
[00:12:01] Sean Martin: Yep. Yep. Exactly. So talk to me a bit about, um, were there any, uh, I guess we, do, you know, the path in how the data was exfiltrated?
[00:12:15] Viktor Petersson: so we looked long and hard. We analyzed our logs, we tried to find some patterns, and uh, we tried to figure out like what was. Where did this data come from? I mean, you're absolutely right in saying that it could just be like a random data set and that just had to correlate with our user data. Now, I think if it's 200 out of 1400, I think that's unlikely.
It seems to be far more targeted. Right. Um, so we went, worst case scenario was like, oh. Our backend compromise. Right? That's, that's your worst case scenario. Um, which is why we're looking at like, if there are any correlation with the leak data, uh, that we found on there, but then we had this idea that [00:13:00] maybe we're not the source at all.
Maybe it's somewhere else, right? Um, first of all, we look at like, hmm, did we have some. JavaScript library, Google Tag Manager that triggered and sent data accidentally somewhere, didn't audit on that, couldn't find anything there at all. And then we started brainstorm a little bit like what else this could be.
And, um, then we randomly thought about how porn, uh, through Hunt's project. And, uh, we then looked at that dataset and compared it to our dataset to see if there were any correlation. And, uh, it just so happened that. 99% ish of the entire leak data were in one out three major breaches that had been reported to Habin Pond.
And, uh, the, the, the big important takeaway here is that these were not because of compromised servers. All three of these were [00:14:00] in one of the steel log dumps, meaning that. End customer devices were infected with some kind of malware, which the aggregated and then report into big leak. So the, the, the root cause, yeah.
Yeah. It was end user devices. Unfortunately, it's, it's very, there are very few things we could do on our end to protect it against that. Right? Like we have a lot of mechanisms to prove security, but a lot of them are. Opt-in from the user, right? We have two FA support and so forth. We have SSO support. But when we look at data, like none of these users actually two FA enabled, right?
So by a simple security measure mechanism, if you just have had two FA enabled, that would've voided entire attack vector, but none of them met.
[00:14:45] Sean Martin: Yeah. So as we wrap here and, and the minute we have left, what, um, what's, what's the big takeaway from you and what, what would you leave folks listening, uh,
[00:14:56] Viktor Petersson: Yeah. Yeah. Um, so we, we took a long hard look at [00:15:00] ourselves and thinking about like, what can we do to improve, like, if, if we offer features like two FA and people are using it, like what, what, what can we do then to improve the security posture and like kind of remove this entire attack vector? So what we are rolling at now is, is passwordless.
So we go into magic links. So we are gonna. Get rid of password authentication altogether. Um, and I think that's a good push in general. Like you can combine it with two FA to improve security further. You can use SSO, but passwords, um, they're not good. Like people reuse passwords and there are very little you could do about preventing that, right?
You can check against lists and so forth, but it's, it's not secure as it should be. So our takeaway here is that the best way to solve this problem as a permanent fixture is. To remove that tack effect wall together. So that's exactly what we're doing. We, I think we gotta be rolling that up next week, uh, as a first wave.
[00:15:51] Sean Martin: Yeah. I love it. Well, Viktor, it's, it's always good to see you, my friend, and uh.
[00:15:56] Viktor Petersson: Likewise.
[00:15:56] Sean Martin: You're doing well with Screen Lee and, and that you're running a Bug [00:16:00] bounty program to, uh, to help you find some of these things and making that investment. And most importantly, I think, uh, being willing to share the story, uh, with folks to, to know that you don't have to run around with your hair on fire.
You can actually have, have a moment of, all right, what, what's going on? Follow the playbook. Uh, do rally the team in a way that makes sense and kind of sort through everything and, and come up with a good plan. And, uh, so kudos to you.
[00:16:28] Viktor Petersson: thank you. And, and having, having those runbooks from your SOC two or whatever compliance framework you, they are helpful because it tells you what to do and just making sure you actually follow the playbooks as well. Yeah.
[00:16:38] Sean Martin: Yep. Absolutely. Well, Viktor, thanks again for, uh, sharing this. Uh, we call our brand Spotlight here on ITSP magazine. Uh, a quick hit of, of, uh, a story and. It's an important one, so, uh, appreciate you sharing that and everybody listening, watching, do stay tuned for more brand spotlights as part of our, uh, brand story series on ITSP magazine.
[00:17:00] And, uh, do connect with Viktor and the Screenly team. And I'll include links to, uh, your LinkedIn post and the blogs so people can learn more. And obviously they can connect with you if they, uh, if they need secure screen signage, uh, secure signage, I should say. Um, it's good stuff. Thanks, Viktor.
[00:17:15] Viktor Petersson: Thanks.
​