Typeform data breach exposes users of many websites

You may have never heard of Typeform, but they may have just lost some of your personal data.

Typeform data breach exposes users of many websites

It’s quite possible that you have no idea what Typeform is. But that doesn’t mean that you haven’t found yourself using it online from time to time.

Typeform is an online service that makes it easy for anyone to add attractive cutesy online surveys to their websites. It’s certainly a neat online app, making it simple to build an attractive survey or form and embed it on your site.

Typeform customers are believed to include Adobe, Airbnb, Apple, BBC, Facebook, Forbes, Freshdesk, HubSpot, Indiegogo, Trello, and Uber amongst many others.

Sign up to our free newsletter.
Security news, advice, and tips.

So there’s a reasonable chance that you may have – at some point or another – completed a Typeform online survey.

Burger survey example

Unfortunately, at the end of last week, Typeform admitted that it had suffered a data breach.

On June 27, 2018, our engineering team became aware that an unknown third party gained access to our server and downloaded certain information. As a result of this breach, some data was compromised. We responded immediately and fixed the source of the breach to prevent any further intrusion.

The results accessed were from a partial backup dated May 3rd, 2018. As a result, all data collected since May 3rd 2018 are not compromised.

The data stolen includes names, email addresses, and other pieces of information entered by users via Typeform forms.

Typeform says that it has contacted all affected customers. But hang on a minute, does that mean that you – who possibly completed a Typeform form in the past – has been told about the data breach?

Quite possibly not, because Typeform’s statement is somewhat ambiguous. One reading is that Typeform is telling its affected customers. Which would mean that you, meanwhile, are left waiting to see if/when you might receive a notification from the website you visited.

Some of Typeform’s clients have already gone public, reaching out to their affected customers.

For instance, digital bank Monzo (which did a great job protecting its customers from the Ticketmaster data breach, months before Ticketmaster acknowledged they had a problem) says that the details of “about 20,000 people” is likely to have been included in the breach.

Thankfully, Monzo is able to confirm that in most cases the information breached was users’ email addresses, and nobody has had their payment details or passwords exposed.

And, as the Evening Standard reports, posh nosh and fancy hamper store Fortnum & Mason has also found it has had its brand tarnished by Typeform’s slip-up:

The 311-year-old store warned about 23,000 customers that details including email and home addresses and social media handles had been accessed. Most of those affected had entered their details online when voting in the TV personality of the year category at the store’s food and drink awards. The poll had been organised by specialist survey and voting company Typeform.

Again, Fortnum & Mason’s customers are not believed to have had other personal information or payment details compromised by the Typeform breach. Which will be a relief to those who can afford to buy grub at Fortnum & Mason.

And down under, the Tasmanian Electoral Commissioner says that it has also been impacted with hackers making off with the names and addresses, email addresses, and dates of birth of people applying for an express vote at recent elections.

The Tasmanian Electoral Commission has been using Typeform online forms on its website since 2015, and has identified that information collected via five forms on their site has been stolen.

Typeform says that it remedied the apparent cause of the breach within half an hour of its discovery, and is initiating a comprehensive security review to prevent similar incidents in future.

Such a rapid response should be applauded, of course, but what I’m concerned more about is how long the problem was present before it was discovered… and whether I might ever find out if I have been impacted.

It should go without saying – look out for phishing emails and malicious spam attacks in the wake of this breach.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.