Data breach alerting service Have I Been Pwned (HIBP) warns that SurveyLama suffered a data breach in February 2024, which uncovered the delicate information of 4.4 million customers.
SurveyLama is a web-based platform that rewards registered customers for finishing surveys. Owned by French agency Globe Media, the platform is praised for prime payouts (as much as $20), quick funds, and a number of withdrawal choices.
In early February, HIBP’s creator, Troy Hunt, obtained details about a data breach impacting the service, which concerned numerous information varieties, together with:
- Dates of delivery
- Electronic mail addresses
- IP addresses
- Full Names
- Passwords
- Telephone numbers
- Bodily addresses
Hunt advised BleepingComputer that he was notified of the publicity by one of many impacted customers and independently verified the information.
When contacted by HIBP inquiring concerning the authenticity of the information, SurveyLama mentioned that they’d already notified impacted customers by way of electronic mail, confirming the security incident.
The information set accommodates details about 4,426,879 accounts and was added to HIBP yesterday, so impacted customers ought to have already obtained an electronic mail notification.
The platform mentioned the uncovered passwords have been saved both in salted SHA-1, bcrypt, or argon2 hashes type, so they aren’t in immediately usable cleartext.
Although hashing provides some resistance to cracking, it isn’t impervious to brute-forcing, particularly the passwords protected with salted SHA-1, which carries recognized vulnerabilities, making it inclined to collision assaults.
That mentioned, SurveyLama account holders ought to reset their passwords on the service instantly and on different platforms the place they could use the identical credentials.
Hunt advised BleepingComputer he was not conscious that the compromised information had been posted anyplace publicly, making the publicity at present restricted.
Nevertheless, if the dataset has fallen into the unsuitable palms, it might be exploited privately after which ultimately leaked to the broader cybercrime neighborhood, so customers should take protecting measures as quickly as attainable.