Millions of SurveyLama users have data exposed in major breach
SurveyLama notified more than 4 million users of the breach
Online survey platform SurveyLama suffered a data breach in which sensitive data on more than four million people were exposed.
The company confirmed the breach to Troy Hunt, the creator of the Have I Been Pwned? website which aggregates email addresses exposed in data breaches.
According to BleepingComputer, the breach happened in February this year. The data grabbed by unnamed attackers includes people’s names, dates of birth, email addresses, IP addresses, passwords, phone numbers, and postal addresses, opening users up to identity theft and phishing scams.
Unknown attackers
SurveyLama rewards registered users for completing surveys, and is known to make payouts up to $20. That makes its users the ideal target audience for rewards-based phishing emails.
In total, 4.4 million people were affected and allegedly, they have already been notified. If you are a SurveyLama user, be wary of incoming emails, especially those offering a prize in exchange for a quick reaction.
While user passwords were stolen, they were all stored in salted SHA-1, bcrypt, and argon2 hash forms, meaning they can’t be easily used. Still, BleepingComputer says that some passwords could be cracked with brute-force attacks, especially those hashed with SHA-1, a hash function with known vulnerabilities.
In any case, SurveyLama users are advised to update their passwords, just to be on the safe side.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The stolen information is yet to be posted anywhere, or sold on the dark web, so there’s still time to react and protect the accounts. Since it’s not yet been made public, we don’t know who the threat actors are, or if this was a ransomware attack or a simple data smash and grab.
In recent times, even ransomware groups started moving away from encryption, focusing only on data theft. Demanding a ransom payment in exchange for the data seems to be a lucrative endeavor.
More from TechRadar Pro
- Google tries to downplay cookie security risk as nothing new
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.