TypeForm Data Breach


#23

More excellent transparency from Tom.


#24

(Daniel White) #25

A bit embarrassing when they were sponsoring their blog post on the Ticketmaster hack on Facebook to show them up whilst this is going on though.


(Adam Kendrew) #26

I’d imagine it’s an oversight if they were only alerted to the breach a few hours ago?


#27

Good responses by monzo, a bit of a strange response being sent love and kisses from typeform!


(Alex Sherwood) #28

Thanks for sharing this Elvis, I’ve moved your post & the replies before this comment here, to keep all of the discussion in one place, I hope that’s ok!


#29

Of course :slight_smile:


(Kevyn) #30

I don’t expect you to get one from Typeform but information about the hack states any personal data you submitted on Monzos Typeform questionnaire has potentially been compromised (before the May date I forgot) as well as your email address.


(Alex Sherwood) #31

To avoid any confusion the only personal data that was compromised was:

& users were told specifically which data of theirs could have been compromised in the email. So in my case:

which means I’ll be keeping a close eye on anyone who follows me on Twitter today :eyes:


(Richard) #32

So typeform announced it three days ago. Why are you only announcing it today!!?


(Alex Sherwood) #33

Because, as the blog post says, Monzo was only notified by Typeform that it’s users were affected today.

We were notified at 4.55pm this afternoon that Typeform, a company we’ve used to collect survey results in the past, has suffered a data breach.


#34

Norton also emailed users about it:

"Dear Norton Customer,

On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster¹. As a result, it was determined that there was a possibility that an unknown third-party had gained access to certain personal information of their customers.

What information was compromised?
According to the company, some of the personally identifiable information that may have been stolen includes: name, address, email address, telephone number, payment details and Ticketmaster login details.

How to know if you’ve been affected by the Ticketmaster breach
Luckily, less than 5% of their customer base was affected by the hack, and Ticketmaster UK has already contacted the customers who may have been compromised. The data that was stolen involved UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 as well as international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018.

What to do if you have been affected by this breach
If your debit or credit card number was exposed, you need to replace it. Call the number on the back of your card to let the issuer know what happened and why you want your card replaced.

Regularly review your credit card and bank statements, looking for unfamiliar activity. If you see a transaction that isn’t yours contact your financial institution immediately to let them know.
If you have a Ticketmaster account, you should log into your account and change your password immediately. Be sure to use a strong and unique password for your account.
Exercise caution with websites offering to check if someone’s details are included in the breach. Use free tools, such as Norton Safe Web, to check on the reputation of the site.
Do not pay anyone offering to remove personal details from the leaked data, since this cannot be done. This information is already in the public domain and multiple copies exist."


#35

Tbh majority of Twitter users are public anyway, and I bet most peoples email addresses already on lists…

Sites like https://haveibeenpwned.com will show what data breaches you’ve already been “included” in.


(Kenny Grant) #36

It wasn’t given to them for marketing purposes, monzo (in a false economy it turns out), used typeform for collecting customer data for various small customer surveys they run (like applications for a beta program, that sort of thing) - nothing earth shattering, usually it amounts to email. It would have been nice if they kept things like this in house though, even though it slows them down somewhat.

Still, it’s nice to see Monzo treating even minor breaches seriously and reacting very quickly.

I have the same feeling about the IFTTT integration - when you’re a bank, it’s important that the partners you choose are as assiduous about security as you are - partnering with other financial institutions is fine, partnering with random internet companies which were not built with security first in mind is not.


(Alex Sherwood) #37

I don’t think this is a realistic expectation to be honest. No company can build software for everything that they do, if they did, they’d never get anything done.

IFTTT is opt in. If you choose to share your data with 3rd parties then that’s up to you. Just as you choose to use any of those companies on a day to day basis anyway. We’re talking about sharing data here not access to money.


(Kenny Grant) #38

I don’t think this is a relatstic expectation to be honest. No company can build software for everything that they do, if they did, they’d never get anything done.

It wasn’t intended as a criticism, it’s easy to come up with what you would have done in retrospect given a breach like this, but I imagine they’re now looking carefully at any third party they use to collect data. A web form for collecting data like this is not much time to make, and (again in retrospect) would be better done in-house IMO. I wouldn’t trust any of the other options like surveymonkey with customer data either.

IFTTT is opt in.

Sure, and I won’t be opting in to giving IFTTT access to my bank account, even just to shuffle money around. Personally I don’t think Monzo should be offering that integration as IFTTT was not built with bank accounts in mind and is (like most web apps) probably riddled with vulnerabilities. Everything is broken. I’d prefer to see rules on pots done inapp instead, but I’m also slightly nervous about logging in to my banking app via email, so perhaps I’m just paranoid :slight_smile:


#39

Ok thanks for the information Monzo but my critisism is that the minute I saw the Email I decided it was a scam and the reason for that is simple the Email did not address me by name which is exactly what the scammers do so I am very sorry but I have to say wake up Monzo


(Toby Toller) #40

The email was notifying users of something which has happened, it was not asking the recipient to do anything share anything - I have never seen a scam which isn’t asking for something, whether it’s details, to log in etc.

If a scam has data eg. your email, they’re more than likely going to have your name as well. I’d advise reading email content, rather than just the top line before coming to any conclusions.

A scam wouldn’t say this, it would say something like:

No, your Monzo account and money may have been compromised, please log in here (insert dodgy link) to reset your password.


(Alex Sherwood) #41

An email addressing you by name is not a reliable way to be sure that it’s not a scam.


#42

Reminds me of stupid Nationwide that boasts about using the postcode as a security measure “we’ll always include your postcode at the top of any emails we send so you know it’s from us”. :joy: