UserVoice says it's been hacked, admits it used "weak" encryption for user account data

UserVoice has revealed that it was hacked last month, and that some user data was compromised in the breach, including names, email addresses and passwords.

UserVoice is a popular platform for companies to gather feedback from, and engage with, users of their products, to help inform the path of their future development. It says that over 200,000 companies have done so since its founding in 2008, and over 15 million people use the platform each month.

The firm said that only a tiny proportion of those accounts was affected - "about 0.001% of all UserVoice users" - but admitted that its encryption wasn"t up scratch:

In late April, the UserVoice security team learned that an unauthorized party illegally accessed one of UserVoice’s backend reporting systems and was able to view user data on a small subset of users. The user data includes name, email, and a hashed password and salt. Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak.

It added: "Although the passwords were encrypted, we are presuming the attackers may be able to decrypt the passwords, and are taking the necessary precautions."

The company says that "out of an abundance of caution", it"s resetting passwords for all users on its database, and adds that it has already contacted those users directly affected by the breach. It also states that it"s introducing new measures to protect user data, including:

  • When users reset their password, we’re going to be hashing it with the bcrypt algorithm with a strong cost value.
  • We’re enabling stronger password requirements for all users.
  • We have reset the SSO tokens for the small subset of accounts whose token was compromised, and reached out to the account owners directly.
  • We are adding additional layers of security around our back end system to ensure the security of the data we store for our customers.

UserVoice is used by a range of popular brands in the tech space, such as game-streaming service Twitch, and Microsoft, which gathers feedback from many of its users there, including those of Outlook.com, Xbox, OneDrive, Bing, and more.

Source: UserVoice via ZDNet

Report a problem with article
Next Article

Valiant Hearts makes its way to the Windows Store for Windows 10 PCs and phones

Previous Article

FYI: Workarounds for OneDrive storage limits and placeholders