Barcelona-based online survey and form building service Typeform announced a data breach today after an unknown attacker downloaded a backup file containing sensitive customer information.
The backup file contained data gathered by Typeform customers through surveys and online forms up until May 3, 2018.
Typeform passwords and user payment card information was not included in the backup file the attacker took from Typeform's servers.
The company said the incident happened after the attacker exploited a vulnerability, yet it did not reveal what vulnerability that was. Typeform did say they plugged the security hole.
According to a timeline of events, Typeform said its employees became aware of the breach on Wednesday, June 27, at 14:00 CET, and secured the affected server 30 minutes later.
The company made a formal announcement late Friday night (EU timezones), two days later.
Bleeping Computer has reached out to Typeform via several channels to inquire about more details surrounding the incident, but we had not received any response, most likely because the breach was announced so late on a Friday when Typeform employees weren't on hand to answer media requests.
According to Wikipedia, Typeform is catering to some pretty big names in the tech industry and beyond, such as Apple, Uber, Airbnb, and Nike. The company's website also lists Trello, HubSpot, Indiegogo, Forbes, and Freshdesk.
Typeform said only customers who received the notification emails were affected, suggesting the backup file might not have contained information on all customers, but only a selected few.
UPDATE: Shortly after this article's publication one of Typeform's customers, payment provider Monzo, has revealed that data for about 20,000 users who filled surveys on its site had been exposed.