June 2018 Data Breach

Our June 2018 data breach
& what it means for you

If you didn’t get an email, you weren’t affected. For those affected, please check your email for specific information.

Our June 2018 data breach & what it means for you

What happened and was I affected?

What happened?

On June 27, 2018, our engineering team became aware that an unknown third party gained access to our server and downloaded certain information. As a result of this breach, some data was compromised. We responded immediately and fixed the source of the breach to prevent any further intrusion.

Were you affected?

If you didn’t get an email, you weren’t affected.

For those affected, please check your email for specific information.

FAQs

What happened?

We identified the breach at 14:00 CET on June 27th, and remedied the apparent cause of the breach at 14:30 CET on June 27th.  

We have since been performing a full forensic investigation of the incident to be certain that this cannot happen again.  The risk of reoccurrence is now deemed low enough to send out this communication.

The results that were accessed are from a partial backup dated May 3rd, 2018. Results collected since May 3rd 2018 are therefore safe and not compromised.

What do you mean by "compromised"?

In this case, “compromised” means that the attacker obtained access to your data and downloaded it from our servers. Unfortunately, this means that the attacker has partial data you collected prior to May 3rd.

How does this impact me?

If you received an email from us, all the responses you received prior to May 3rd could be compromised.

What data was compromised?

The results accessed were from a partial backup dated May 3rd, 2018. As a result, all data collected since May 3rd 2018 are not compromised.

What data is safe (i.e. not compromised by this incident)?

–> Your subscription payment info is safe and secure (credit card, address, etc).

–> Your Typeform password is safe.

–> The data you have collected since May 3rd is safe.

–> If you collected payments via our Stripe integration, all of your audience’s payment details are safe.

What should I do about this?

If you received names and email data through any of your typeforms, you might want to let them know about the breach. We prepared a template for you to use as part of your communication strategy:

Dear [name],

We just received a message that Typeform had a data breach, which affected one (or more) of the typeforms we sent out. Typeform reports that an external attacker managed to get unauthorized access to respondent data and downloaded it.

The good news is that Typeform responded immediately and fixed the source of the breach to prevent any further intrusion.

If your name and email was downloaded by the attacker, then we recommend that you watch out for potential phishing scams, or spam emails.

[If you collected payments via Typeform, you could add: Any credit card information you shared through Stripe is safe and secure.]

If you have any other questions, feel free to contact us.

Have you corrected the problem?

We have immediately initiated a comprehensive review of our system security and have identified the source of the breach and have addressed that security vulnerability.

As a data collection company, maintaining the security and privacy of our customers’ data is our top priority. We will continue to take significant measures to prevent this type of situation from happening in the future, including a full-scale review of our security.

Could this happen again?

We are taking substantial measures to prevent this from happening again, including using a cross-functional team to review our system and the security measures we employ.

Why weren't we notified sooner?

Before notifying you it was important for us to feel comfortable that the vulnerability was resolved to prevent another attack. Since the attack we have been performing a comprehensive forensic investigation. We launched this communication as soon as possible after feeling comfortable that our platform is now secure.

Can I trust Typeform with my data going forward?

It is understandable that you might question the trust you put in Typeform. We would like to assure you that we take Data Security and Data Privacy very seriously, and we are doing everything we can to take actions that will rebuild the trust you placed in us.

We are taking security measures to prevent any possible future occurrence.

In the short term, we brought in forensic security experts who have helped us review the breach, and are helping us look into all other aspects where we can improve the security of our platform. Regarding this specific incident, we’ve identified the vulnerability and implemented measures to prevent this type of attack.

Going forward, we will continue to scale our security team to ensure we’re doing everything we can to keep your data safe.

Help

If you have any more questions, you can contact our support team.

Get started