TaskRabbit, a web-based service that connects freelance handymen with clients in various local US markets, has emailed customers admitting it suffered a security breach.
The company has taken down its app and website while law enforcement and a private cyber-security firm are investigating the incident.
The hack appears to have taken place earlier today —US timezones— when users started posting on Twitter images showing defacements of some TaskRabit pages.
Task Rabbit phishing attack. Emails sent out pointing to website which, for a time, revealed @TaskRabbit's private Github, daily transaction volumes, key employee information. @TaskRabbit you need to look into this right now. I believe my account has been compromised. pic.twitter.com/RcT6WXhW6l— Sam Rad (@_sam_rad) April 16, 2018
While the company did not initially admit it was hacked, it did send an email later in the day to its users.
"TaskRabbit is currently investigating a cybersecurity incident," the email stated. "We understand how important your personal information is and are working with an outside cybersecurity firm and law enforcement to determine the specific. In the meantime the app and the website are offline while our team works on this."
"As an immediate precaution, if you used the same password on other sites or apps as you did for TaskRabbit, we recommend you change those now."
It is unclear the extent of the security breach, if the attacker accessed user details, customers' financial data, or if he only defaced the site and left without touching anything else. We will update the story with more details when they become available.
UPDATE [April 18]: The TaskRabbit website is back up, along with a message from the company's CEO stating that " certain personally identifiable information may have been compromised" during this week's incident, but without providing any other details.
UPDATE [May 16]: In a data breach notification letter submitted to the Office of the Attorney General for the state of California, TaskRabbit admitted some truncated payment card data was stolen.