Typeform data breach hits thousands of survey accounts

Survey company Typeform has admitted suffering a breach caused by attackers downloading a “partial backup” of its customer data.
The Spanish company said it noticed the issue on 27 June, remedying its cause within 30 minutes. The affected data was that collected prior to 3 May, which meant:

Results collected since May 3rd 2018 are therefore safe and not compromised.

As breaches go, this is a slightly complicated one because Typeform’s paying customers are businesses that use its software to conduct customer surveys and quizzes.
Each one of those collects data from possibly tens of thousands of their own customers when they take part, which widens the breach’s scope.
Each affected provider will therefore need to contact these customers independently – a situation that draws parallels with the breach suffered by email marketing provider Epsilon in 2011, which saw dozens of large brands sending out apology emails.
Typeform said affected account holders would be informed by email. The Tasmanian Electoral Commission, British prestige brand Fortnum & Mason, digital bank Monzo, and food maker Birdseye have been among those issuing their own alerts, but this is only a fraction of the company’s business customer base, which runs to thousands.
Announced Monzo:

Our initial investigations suggest that some personal data of about 20,000 people is likely to have been included in the breach.

Which data was compromised?

Typeform is vague about specifics, choosing to mention only what isn’t at risk, namely subscription payment data, Typeform account passwords, any payments collected via Stripe integration, and audience payment data.
According to Monzo’s alert, in the vast majority of cases it will have been email addresses, and in a small number of cases, Twitter usernames, postcodes, salary bands, and ages.

What do to?

If you’re a business, Typeform has helpfully provided an apology email to send to customers, although large brands will likely decide to write their own. It does add this interesting detail:

If your name and email was downloaded by the attacker, then we recommend that you watch out for potential phishing scams, or spam emails.

Which brings us to the coalface of this breach – the unknown number of people who have never heard of Typeform, nor realised their data was being stored by them, but who might receive alert emails from the business that used it.
If you’re unlucky enough to be one of these, it seems the risk is, as stated, receiving phishing scams, that might use personal data from the breach to try to lure you in.
Be careful what you click on.