This article is more than 1 year old

Hands up if you didn't lose data in the Typeform breach

And keep your hands up if you knew the lost data was – eek! – unencrypted

The list of organisations notifying customers that they're affected by the Typeform data breach continues to grow – and at least one victim has publicly claimed the breached backup data was unencrypted.

Australian bakery chain Bakers Delight, “beyond banking” outfit Revolut, the Australian Republican Movement, data platform Ocean Protocol, evaluation software company DevResults, digital transformation software vendor PostShift, and England's Shavington-cum-Gresty Parish Council have all told users they've been caught up in the breach.

In the main, affected organisations are using Typeform's template, which it prepared “for you to use as part of your communications strategy”, so most of the announcements are close to identical.

However, the folk at Ocean Protocol departed from the template to include this detail in their breach post: “TypeForm has confirmed that the data was stored in an unencrypted manner which means that the data is accessible.”

In Ocean Protocol's case, the attacker obtained “email, birthdate, place of birth, ID number, nationality, wallet address, scans of identity documents, proof of residence, proof of accreditation and for our US participants, SSN”.

Because of the breadth of its breach, Ocean Protocol is offering credit monitoring to affected customers. Its further advice included:

  • Set up 2-factor authentication on your critical online accounts, such as email and social media; and
  • Call your phone company and ask that a password be added to your account to prevent unauthorised SIM-porting.

The company also published this handy risk-assessment table about the types of data caught in the breach.

Ocean Protocol's risk assessment table

Click to enlarge

Digital banking company Revolut said it's affected, but in the main, the only exposure was e-mail addresses and possibly Twitter handles. “For a smaller number of people, it was pre registration details for our business product”, the post added.

PostShift said only 230 of its customers were impacted, because only one public-facing survey was hosted on Typeform.

Shavington-cum-Gresty Parish Council said only 304 of its citizens were breached, but most of those only had their e-mail address leak (in a few cases, name, postal address and postcode were included). The post added that the council will consider ending its relationship with Typeform at a July 6 communications committee meeting.

The Australian Republican Movement is also reviewing its use of Typeform.

Australian bakery chain Bakers Delight told Australian publication IT News the breach affected a customer competition, “Win a Decor Pack”. ®

More about


Send us news

Other stories you might like