Typeform Data Breach Hits Many Organizations

Typeform Data Breach Hits Many Organizations
2.7.18 securityweek Incindent

Typeform, a Spain-based software-as-a-service (SaaS) company that specializes in online forms and surveys, has suffered a security breach that resulted in the data collected by its customers getting stolen.

According to a notice posted on its website, Typeform identified the breach on June 27 and addressed its cause roughly half an hour later. The company says an attacker has managed to download a backup file dated May 3 from one of its servers.

The compromised file stored names, email addresses and other pieces of information submitted by users through Typeform forms. Data collected after May 3, payment information, and passwords are not impacted, Typeform said.

UK-based mobile banking service Monzo is one of the impacted organizations. Monzo says the breach affects roughly 20,000 individuals, a vast majority of which only had their email address exposed. However, in some cases, information such as postcode, name of the old bank, Twitter username, university, city, age and salary range, and employer was also compromised. Monzo says it has ended its relationship with Typeform following the incident.

The Tasmanian Electoral Commission was also hit by this breach. The organization notes that while some of the stolen data is already public, the attacker may have also obtained names, addresses, email addresses, and dates of birth submitted by electors when applying for an express vote at recent elections.

The list of organizations that has notified customers of the Typeform breach also includes Thriva, Birdseye, HackUPC, and Ocean Protocol.

Typeform last year claimed to have 30,000 paying customers and many more using its free service. Companies such as Apple, Uber, Facebook, Adobe, Airbnb, WeTransfer and BBC are also said to have used its services at some point. The company’s website currently lists Trello, HubSpot, Indiegogo, Forbes, and Freshdesk as customers.

Typeform has assured customers that it has identified and addressed the source of the breach. The company claims it has initiated a comprehensive review of its system security and is taking “significant measures” to prevent such incidents from occurring in the future.

However, shortly after the data breach was disclosed, one Twitter user claimed to have identified another vulnerability in Typeform systems.