TypeForm Data Breach


(Toby Toller) #1

Anyone else been notified about the TypeForm breach. Great email - it’s great to get notified, reassurance, and advice on the same day as the breach:

Hello,

We were notified at 4.55pm this afternoon that Typeform, a company we’ve used to collect survey results in the past, has suffered a data breach.

Our initial investigations suggest that your email address is likely to have been included in the data.

We wanted to let you know as soon as possible and I want to personally apologise to you.

Is my Monzo account safe?

Yes. This data breach has not affected your Monzo account and your money is safe. This breach only affected the data you entered into the Typeform survey – it didn’t include any payment details or password information.

What should I do now?

You may see an increase in spam email, so be extra careful to only open messages that come from people or companies you know and trust.

You should also be vigilant for possible phishing scams, where someone sends you an email asking you to do something. Make sure you really know the sender and they’re not asking you to do anything unusual.

How did this happen?

It appears attackers found a weakness in Typeform’s security and managed to gain access to data backups for surveys conducted before May 3rd 2018. Those backups contained the responses to surveys. If we get more details, we’ll let you know as soon as possible.

What will Monzo do now?

Over the coming hours, we’ll be investigating this incident thoroughly and making sure we tell every affected customer as soon as possible. We will be reporting this incident to the Information Commissioner’s Office as soon as possible.

We’ll also be using this incident to learn for the future. We’re ending our contract with Typeform, at least until they can prove they have improved their security, and have deleted all customer data from their servers. In future, to reduce the chance of similar incidents, we’ll remove all survey data from any provider within two months of the survey.

Unfortunately, we can’t ever guarantee that something like this won’t happen, but we’re doing everything we can to protect your data.

I’m incredibly sorry this happened and will personally make sure we investigate it fully.

Tom Blomfield
Monzo CEO

Well done Monzo :clap:t2:


Data breach - but survey firm only
(Andy) #2

I got an email from Tom, but I haven’t had a typeform email yet so perhaps my email wasn’t affected.


(Toby Toller) #3

It was the email from Tom I’m referring to

I don’t think you’d be emailed by TypeForm directly unless you’d used them to create your own Typeforms


(Andy) #4

Typeform suggesting if you didn’t receive an email from them, you’re not affected.


(Kevyn) #5

I just got the email. The bottom of it clearly states in the small print:

This email was sent to everyone affected in this breach.


(Tom Hanson) #6

I received the email from Tom and so did my partner, when looking back through their mailbox, they found that the only time they might have used Typeform and Monzo would have been on the Monzo store for a Monzo T Shirt


(Liam W) #7

Maybe Monzo should create their own survey platform, so they don’t have to rely on third parties? I’m not sure how feasible that would be though.


(Andre Borie) #8

Lately it seems to be data breaches all day long (just in time for GDPR). TicketMaster, TypeForm, an unknown US marketing company that leaked 340M records, etc.


(Tony Hoyle) #11

Data breaches have probably always been this common, but with GDPR the fines for not reporting them have gone way up. Previously they’d just have pretended that it didn’t happen.


(Rafael freitas) #12

I don’t remember seeing a company being so quick, transparent and honest about this kind of situation before.
Saying that “Unfortunately, we can’t ever guarantee that something like this won’t happen, but we’re doing everything we can to protect your data and we’ll learn from this incident.” is brave and truthful. Whichever company pretends they’re imune, they’re lying.
Contrast this with companies like Uber or Ticketmaster (which Monzo broke the news about their hack and they did nothing) who try to hide hacks, and you quickly decide with whom you want to have a relationship with.
I applaud Monzo once again and keep waiting for my joint account to switch to it.


(Ziad) #13

Yeah I got this email, was it everyone or just certain accounts?


#14

I never got an email from monzo, but I do remember using a tyoeform for Revolut giving my mobile number (and possibly email) let’s see if they send me an email.


#15

I remember previously completing a Monzo TypeForm relating to Savings and Investments. This included information on savings habits, total investments etc.

Regarding disclosure: the TypeForm FAQ about the breach indicates that they are relying on the creators of surveys to notify people who may have submitted responses. Monzo obviously have. Revolut will make their own decision.


(Marta) #16

I also got an email from Tom. :smiley: I liked this email, one of the best I had seen on this subject.

I’m not too worried about answers I put on Monzo’s survey. The only ‘risk’ in my eyes is that they’ll be able to link my email with the fact I have Monzo account (so malicious party knows my bank login). However, 2FA and long password from password generator protect my email anyway.

The only thing I would change/add is related to above, if someone has a weak/guessable password on email, I think Monzo should advise about amending password and/or adding 2FA. Email that most likely is a bank account login is a much more exciting attack target. People could have their password already exposed in another data breach. I can bet that someone used the same password for linkedin/adobe account, as they still use on their email account. :wink:

Extensive, but not complete list of confirmed breaches can be checked here: https://haveibeenpwned.com/ (there is ‘password’ checker too, if you are really convinced you have a password like no one else ever had).


(Adam Kendrew) #17

You may see an increase in spam email, so be extra careful to only open messages that come from people or companies you know and trust.

This could be particularly annoying. I’ve been very careful to only share my new email address with certain parties, after I accidentally added my old one onto a domain registration (which lead to 100’s of ‘lets build a website for you’ emails). Really hope this won’t be the case after this breach! :pensive:


(Ian Cairns) #18

I think this is a breach of trust. Identifiable customer data should never be given to third parties for marketing purposes, only anonymised aggregate data. I’m shocked that Monzo could be so naive.


(Jon Crozier) #19

I’ve also had the email from Tom

I agree that it’s so much better to know about these things sooner rather than later.

I guess it’s not unusual that companies use 3rd parties for these kinds of surveys though maybe in the future the data collected may need to be more anonymised if possible?

Also, this forum is run through discourse isn’t it? Is that hosted by Monzo or Discourse? How well is this protected? Not that I guess anything posted on a discussion board would be private anyway. :slight_smile:

My email address is already ‘out there’ after other data breaches unfortunately, so I already get my fair share of spam.

Definitely a good time to review any weak passwords I may have tied to it. (This is really easy to do in IOS 12 and OSX Mojave if you let Apple manage your passwords btw).

Thanks Tom and Monzo for being so open and honest. Keen to know more when more is known.


(Toby Toller) #20

Nice to see Starling give the heads up, even though they don’t seem to be affected by the breach - an improvement on their side with transparency


(Alex Sherwood) #21

It wasn’t, Typeform is a survey tool. Naturally if you ask a user for their email address etc. as part of the survey then it’s recorded by Typeform. That’s why they’re changing their retention policy -

In future, to reduce the chance of similar incidents, we’ll remove all survey data from any provider within two months of the survey.

But obviously Monzo has used & will use tools like this from 3rd parties, just like every other company.


(Jon Crozier) #22

Maybe in this case Monzo is the ‘affected’ user and not the people who filled out the survey. I don’t expect to get an email from Typeform.