Data breach alerting service Have I Been Pwned (HIBP) warns that SurveyLama suffered a data breach in February 2024, which exposed the sensitive data of 4.4 million users.
SurveyLama is an online platform that rewards registered users for completing surveys. Owned by French firm Globe Media, the platform is praised for high payouts (up to $20), fast payments, and multiple withdrawal options.
In early February, HIBP's creator, Troy Hunt, received information about a data breach impacting the service, which involved various data types, including:
- Dates of birth
- Email addresses
- IP addresses
- Full Names
- Passwords
- Phone numbers
- Physical addresses
Hunt told BleepingComputer that he was notified of the exposure by one of the impacted users and independently verified the data.
When contacted by HIBP inquiring about the authenticity of the data, SurveyLama said that they had already notified impacted users via email, confirming the security incident.
The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification.
The platform said the exposed passwords were stored either in salted SHA-1, bcrypt, or argon2 hashes form, so they are not in directly usable cleartext.
Though hashing adds some resistance to cracking, it is not impervious to brute-forcing, especially the passwords protected with salted SHA-1, which carries known vulnerabilities, making it susceptible to collision attacks.
That said, SurveyLama account holders should reset their passwords on the service immediately and on other platforms where they might use the same credentials.
Hunt told BleepingComputer he was not aware that the compromised data had been posted anywhere publicly, making the exposure currently limited.
However, if the dataset has fallen into the wrong hands, it could be exploited privately and then eventually leaked to the broader cybercrime community, so users must take protective measures as soon as possible.
Comments
electrolite - 2 months ago
"The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification."
"Hunt told BleepingComputer he was not aware that the compromised data had been posted anywhere publicly, making the exposure currently limited."
If the data is not posted publicly, then how did Hunt obtain it to add the data set to HIBP database?
RogerKaiser - 2 months ago
"If the data is not posted publicly, then how did Hunt obtain it to add the data set to HIBP database?"
The hacker or buyer sends the dump to Hunt directly.
electrolite - 2 months ago
Legally that seems to be in a grey area. Anyone buying hacked data would be in trouble with the law, regardless if it was being used for a non black-hat purpose.