DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UserVoice Security Incident

Posted on May 10, 2016 by Dissent

As posted on their site yesterday:

Please see our blog post from May 9, 2016 announcing a security incident at https://community.uservoice.com/blog/uservoice-security-incident-notification/

What Happened?

In late April, the UserVoice security team learned that an unauthorized party illegally accessed one of UserVoice’s backend reporting systems and was able to view user data on a small subset of users. The user data includes name, email, and a hashed password and salt. Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak. As such, we’re resetting the passwords for all users in our database.

How am I Impacted?

We have notified via email all users whose personal information was accessed. These users account for about 0.001% of all UserVoice users (administrators and contributors). Even though our evidence suggests that most users were unaffected, out of an abundance of caution, we are requiring every user to change their UserVoice password, and strongly recommend changing your password for other sites that share your old UserVoice password.

What is UserVoice doing to protect my information?

-We identified how the attacker gained access to the system, and immediately made changes to our infrastructure to prevent further access.

-We reset the passwords for the users whose information was accessed, and contacted them directly. If they used their UserVoice password on any other tools, we strongly recommended they reset those passwords immediately.

-As a precaution, we have also logged all admins and end users out of our system, and are requiring them to reset their passwords.

-When users reset their password, we’re going to be hashing it with the bcrypt algorithm with a strong cost value.

-We’re enabling stronger password requirements for all users.

-We have reset the SSO tokens for the small subset of accounts whose token was compromised, and reached out to the account owners directly.

-We are adding additional layers of security around our back end system to ensure the security of the data we store for our customers.

FAQs

What personable identifiable information was compromised?

-The attacker was able to obtain the names, email address, and hashed password for <0.001% of users. The password is hashed with SHA1 with salt, which is considered a weaker hashing function by today’s standards. When users reset their passwords, their passwords will be hashed with the much stronger bcrypt hashing function.

How do I know if my information was accessed?

-We have notified via email all users whose information was accessed. Nonetheless, as an additional security measure, we have reset passwords for all users in the system.

What else are you going to do to prevent unauthorized access in the future?

-In this update, we are rolling out bcrypt and stronger password requirements. Security is something we take very seriously. Expect more updates as we continue to identify ways to improve UserVoice security.

What about SSO users?

-Users and admins who only log in with SSO were not impacted. SSO users will continue to be able to access UserVoice without any password reset interruptions.

What about users who log in with Gmail, Yahoo and Facebook?

-Users who log in with our social login were also not impacted, and will not be required to reset their passwords.

Why are you forcing me to create a new password if I wasn’t compromised?

-This is an extra precaution as we work to ensure the security of our customers’ data and accounts.

How do I reset my password?

-When prompted, enter your email and password as you usually would. You will see a message that your password has been reset. Check your email for further instructions.

Was any credit card information accessed?

-No. We do not store credit card information in our database.

Who can I contact with questions?

-Please submit questions to [email protected].

Category: Business SectorHack

Post navigation

← Personal information displayed to others on NY’s health exchange website
Utkal admission offline as hackers strike again →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Department of Justice says Berkeley Research Group data breach may have exposed information on diocesan sex abuse survivors
  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • ARC sells airline ticket records to ICE and others
  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.