Typeform breach: Hacker downloads backup file containing sensitive user data, thousands compromised

• The stolen backup file contained data gathered by the firm through surveys and online forms until May 3, 2018.
• The firm was quick to respond to the breach and reportedly secured the affected server within 30 minutes.

Barcelona-based survey and form building service Typeform said it suffered a data breach on June 29, 2018 after an attacker downloaded a backup file from the company's server that contained sensitive customer data.

The stolen backup file contained data gathered by the firm via surveys and online forms until May 3, 2018. However, users' payment information and password information was not included in the stolen cache.

The company said the attacker managed to take advantage of a vulnerability in their system. But the firm was quick at responding to the breach and secured the affected server within the first 30 mins of the breach.

Amongst the leaked data, the personal data of around 400 Tasmanian voters was also been compromised. The compromised information included names, addresses and dates of birth, the Tasmanian Electoral Commission said. The TEC has used Typeform since 2015 and was notified of the breach the same day.

“Typeform’s full investigation of the breach identified that data collected through five forms on the TEC website had been stolen,” the TEC said in a statement. “Whilst some of the stolen elector data captured in some of these forms have already been made public, such as candidate statements for a local government by-election, it is believed that the breach also captured name, address, email and date of birth information provided by electors when applying for an express vote at the recent State and Legislative Council elections.”

All affected voters will be contacted by the TEC who plans to launch a full security investigation soon.

Typeform also caters to some of the top 500 fortune companies like Apple, Nike and Forbes. All impacted customers have been notified via email. Shortly after its announcement, other affected firms that also use Typeform released notifications about the breach.

Digital challenger bank Monzo said the personal data of about 20,000 users have been compromised from its site. New York Public Radio also mentioned a list of all surveys that were affected.