
UserVoice Security Incident - cskau
https://status.uservoice.com/incidents/fb7ml8b3nphf
======
parkersweb
The phrasing of the email didn't really help to clarify matters:

> "UserVoice has confirmed that about 0.001% of users' encrypted passwords
> were taken, and we are notifying those users directly. We are notifying you
> because you are listed as an administrator of your UserVoice account, and we
> want to inform you of steps we are taking to protect your and your team’s
> information."

Does that mean you're notifying me that my details were taken, or that this is
just a friendly "hey, we got hacked" message?

------
aussie123
Yikes. Curious around details, how did they get access to backend systems?

------
tempestn
From the email referenced in the report:

> We learned that in some cases, the attacker was able to perform a series of
> steps that allowed them to gain access to customer names, usernames, and
> encrypted passwords. Despite the fact that the passwords were encrypted, it
> is very possible that an attacker can decrypt this information.

This is worrisome to say the least. I understand recommending people change
passwords when the hashes are encrypted, even if the encryption was properly
implemented. But if that was the case, there would still be no expectation
that the passwords could be "decrypted". Seems to suggest UserVoice is not
handling password storage in a secure manner.

