Online survey and data collection firm Typeform announced on June 27 that an unknown attacker gained access to their server and downloaded customer data backed up on June 3. As Typeform caters to organizations for online surveys and data collection, an increasing number of businesses and institutions have been notifying customers of the personal information that were stolen, such as names, email addresses, scans of documents, Twitter login credentials, and Social Security Numbers, among others.
The security team cut the attacker’s access thirty minutes after discovering unauthorized activity on June 27. Initial investigations revealed that the attacker downloaded partial backup data before May 3, 2018 from the servers. Information provided after the said date were identified as safe. Knowledge of the extent of the breach is still growing as the Barcelona-based company caters to global organizations such as Facebook, Apple, Hubspot, Indiegogo and Uber, and the number of possibly affected individuals are increasing with each announcement.
Typeform has informed their clientele of the incident and provided samples for notifying their respective individual customers. They did not disclose details on how attackers gained access and assured the public that the attackers did not steal any payment details or login credentials, though Singapore-based data platform Ocean Protocol differed. They posted an apology on their blog and confirmed that the hackers downloaded some participants' sensitive information such as ID numbers, wallet addresses, proofs of residence and accreditation.
This incident is just one of the growing number of announcements of data breaches and leaks to close the first half of the year. Typeform cautions the public that the attackers may use the stolen information for potential phishing attacks or spam campaigns. As not many individuals have heard of the company, consumers may start receiving alert emails notifying them of the breach and subsequent steps they can take to protect themselves because of the enterprises who used the platform. Here are a few steps to protect your data:
Educate all company employees on security policies and contingency plans on how to identify incidents of attacks and trends in social engineering, and what to do when it happens.