On Monday we learnt that Typeform, a popular service we’ve used to create some of our online forms, has suffered a significant data security breach.
Many 80,000 Hours users have completed one or more of these forms, and a subset of their form responses were among the information that was stolen from Typeform.
What user data was affected?
We have analysed a copy of the information that was stolen. Data from 18 forms was accessed and up to 8300 individuals were affected. A summary of the personal data affected is below:
|Data category||Maximum individuals affected|
|Name and email address||4271|
|Information regarding career plans||1,278|
|Mobile phone number||749|
The stolen data did not include: financial data (e.g. credit card information); any file attachments that users uploaded (e.g. curriculum vitae / résumé); or any form responses submitted after May 3rd 2018.
This happened because attackers found a weakness in Typeform’s security
Attackers managed to gain access to data backups for a subset of Typeform submissions that were collected before May 3rd 2018. Those backups contained the information that people submitted via these forms, including the data we mentioned above.
The Typeform data breach affects many organisations
Typeform is a widely used service, and it seems like this data breach affects thousands of organisations and millions of individuals.
80,000 Hours’ response
We take protecting personal data extremely seriously, and we are very sorry that our users have been affected by this incident.
When we discovered this incident, we immediately began a thorough investigation. Since then we have notified relevant authorities including the UK Information Commissioner’s Office, which is now investigating the breach.
Typeform have assured us that they have now secured their systems and taken steps to avoid similar incidents in the future. Nonetheless, we are now reviewing whether to continue using Typeform. We have strict criteria for selecting third party service providers and we conduct regular data security assessments. We are disappointed that these measures were not sufficient to protect user data in this instance, and we will review them in light of this.
If you have any questions about this incident, please write to [email protected].