DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UserVoice Security Incident

Posted on May 10, 2016 by Dissent

As posted on their site yesterday:

Please see our blog post from May 9, 2016 announcing a security incident at https://community.uservoice.com/blog/uservoice-security-incident-notification/

What Happened?

In late April, the UserVoice security team learned that an unauthorized party illegally accessed one of UserVoice’s backend reporting systems and was able to view user data on a small subset of users. The user data includes name, email, and a hashed password and salt. Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak. As such, we’re resetting the passwords for all users in our database.

How am I Impacted?

We have notified via email all users whose personal information was accessed. These users account for about 0.001% of all UserVoice users (administrators and contributors). Even though our evidence suggests that most users were unaffected, out of an abundance of caution, we are requiring every user to change their UserVoice password, and strongly recommend changing your password for other sites that share your old UserVoice password.

What is UserVoice doing to protect my information?

-We identified how the attacker gained access to the system, and immediately made changes to our infrastructure to prevent further access.

-We reset the passwords for the users whose information was accessed, and contacted them directly. If they used their UserVoice password on any other tools, we strongly recommended they reset those passwords immediately.

-As a precaution, we have also logged all admins and end users out of our system, and are requiring them to reset their passwords.

-When users reset their password, we’re going to be hashing it with the bcrypt algorithm with a strong cost value.

-We’re enabling stronger password requirements for all users.

-We have reset the SSO tokens for the small subset of accounts whose token was compromised, and reached out to the account owners directly.

-We are adding additional layers of security around our back end system to ensure the security of the data we store for our customers.

FAQs

What personable identifiable information was compromised?

-The attacker was able to obtain the names, email address, and hashed password for <0.001% of users. The password is hashed with SHA1 with salt, which is considered a weaker hashing function by today’s standards. When users reset their passwords, their passwords will be hashed with the much stronger bcrypt hashing function.

How do I know if my information was accessed?

-We have notified via email all users whose information was accessed. Nonetheless, as an additional security measure, we have reset passwords for all users in the system.

What else are you going to do to prevent unauthorized access in the future?

-In this update, we are rolling out bcrypt and stronger password requirements. Security is something we take very seriously. Expect more updates as we continue to identify ways to improve UserVoice security.

What about SSO users?

-Users and admins who only log in with SSO were not impacted. SSO users will continue to be able to access UserVoice without any password reset interruptions.

What about users who log in with Gmail, Yahoo and Facebook?

-Users who log in with our social login were also not impacted, and will not be required to reset their passwords.

Why are you forcing me to create a new password if I wasn’t compromised?

-This is an extra precaution as we work to ensure the security of our customers’ data and accounts.

How do I reset my password?

-When prompted, enter your email and password as you usually would. You will see a message that your password has been reset. Check your email for further instructions.

Was any credit card information accessed?

-No. We do not store credit card information in our database.

Who can I contact with questions?

-Please submit questions to [email protected].

Related posts:

  • Carbonite forces password reset after password reuse attack
  • Plex warns users to reset passwords after data breach
  • Gyft Notifies Affected Users of Security Incident
Category: Business SectorHack

Post navigation

← Personal information displayed to others on NY’s health exchange website
Utkal admission offline as hackers strike again →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.