Check Your Accounts: Typeform Announces Breach, Affected Organizations Pile Up
Online survey and data collection firm Typeform announced on June 27 that an unknown attacker gained access to their server and downloaded customer data backed up on June 3. As Typeform caters to organizations for online surveys and data collection, an increasing number of businesses and institutions have been notifying customers of the personal information that were stolen, such as names, email addresses, scans of documents, Twitter login credentials, and Social Security Numbers, among others.
The security team cut the attacker’s access thirty minutes after discovering unauthorized activity on June 27. Initial investigations revealed that the attacker downloaded partial backup data before May 3, 2018 from the servers. Information provided after the said date were identified as safe. Knowledge of the extent of the breach is still growing as the Barcelona-based company caters to global organizations such as Facebook, Apple, Hubspot, Indiegogo and Uber, and the number of possibly affected individuals are increasing with each announcement.
Typeform has informed their clientele of the incident and provided samples for notifying their respective individual customers. They did not disclose details on how attackers gained access and assured the public that the attackers did not steal any payment details or login credentials, though Singapore-based data platform Ocean Protocol differed. They posted an apology on their blog and confirmed that the hackers downloaded some participants' sensitive information such as ID numbers, wallet addresses, proofs of residence and accreditation.
Since Typeform’s announcement, organizations have been disclosing their connection via media outlets and notifying their customers of the breach. In accordance with the General Data Protection Regulation’s (GDPR) data breach notification guidelines in Europe, digital mobile bank Monzo, food grocer Fortnum & Mason, UK political party Liberal Democrats, digital banking platform Revolut, transformation software vendor PostShift, and budget hotel chain Travelodge are among those who have recently confirmed that they were affected. In Australia and according to their data breach notification requirements, bakery chain Bakers Delight, the Tasmanian Electoral Commission, and the Australian Republican Movement also disclosed that they were affected by the breach. More companies are expected to make their announcements as they notify their respective customers and offer concessions for identity theft protection.
This incident is just one of the growing number of announcements of data breaches and leaks to close the first half of the year. Typeform cautions the public that the attackers may use the stolen information for potential phishing attacks or spam campaigns. As not many individuals have heard of the company, consumers may start receiving alert emails notifying them of the breach and subsequent steps they can take to protect themselves because of the enterprises who used the platform. Here are a few steps to protect your data:
- Educate all company employees on security policies and contingency plans on how to identify incidents of attacks and trends in social engineering, and what to do when it happens.
- Practice network segmentation and data categorization.
- Identify the weak spots in your organization’s security infrastructure and implement intrusion-preventive measures accordingly.
- Create strong passwords for all online accounts and change them frequently.
- Monitor your accounts for unauthorized access and report any irregularities to related authorities immediately.
- Be aware of social engineering techniques used to steal online account credentials.
- Enable 2FA on all your online accounts whenever applicable.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.