Important: UserVoice Security Incident
Incident Report for UserVoice
Postmortem

Please see our blog post from May 9, 2016 announcing a security incident at https://community.uservoice.com/blog/uservoice-security-incident-notification/

What Happened?

In late April, the UserVoice security team learned that an unauthorized party illegally accessed one of UserVoice’s backend reporting systems and was able to view user data on a small subset of users. The user data includes name, email, and a hashed password and salt. Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak. As such, we’re resetting the passwords for all users in our database.

How am I Impacted?

We have notified via email all users whose personal information was accessed. These users account for about 0.001% of all UserVoice users (administrators and contributors). Even though our evidence suggests that most users were unaffected, out of an abundance of caution, we are requiring every user to change their UserVoice password, and strongly recommend changing your password for other sites that share your old UserVoice password.

What is UserVoice doing to protect my information?

-We identified how the attacker gained access to the system, and immediately made changes to our infrastructure to prevent further access.

-We reset the passwords for the users whose information was accessed, and contacted them directly. If they used their UserVoice password on any other tools, we strongly recommended they reset those passwords immediately.

-As a precaution, we have also logged all admins and end users out of our system, and are requiring them to reset their passwords.

-When users reset their password, we’re going to be hashing it with the bcrypt algorithm with a strong cost value.

-We’re enabling stronger password requirements for all users.

-We have reset the SSO tokens for the small subset of accounts whose token was compromised, and reached out to the account owners directly.

-We are adding additional layers of security around our back end system to ensure the security of the data we store for our customers.

FAQs

What personable identifiable information was compromised?

-The attacker was able to obtain the names, email address, and hashed password for <0.001% of users. The password is hashed with SHA1 with salt, which is considered a weaker hashing function by today’s standards. When users reset their passwords, their passwords will be hashed with the much stronger bcrypt hashing function.

How do I know if my information was accessed?

-We have notified via email all users whose information was accessed. Nonetheless, as an additional security measure, we have reset passwords for all users in the system.

What else are you going to do to prevent unauthorized access in the future?

-In this update, we are rolling out bcrypt and stronger password requirements. Security is something we take very seriously. Expect more updates as we continue to identify ways to improve UserVoice security.

What about SSO users?

-Users and admins who only log in with SSO were not impacted. SSO users will continue to be able to access UserVoice without any password reset interruptions.

What about users who log in with Gmail, Yahoo and Facebook?

-Users who log in with our social login were also not impacted, and will not be required to reset their passwords.

Why are you forcing me to create a new password if I wasn’t compromised?

-This is an extra precaution as we work to ensure the security of our customers’ data and accounts.

How do I reset my password?

-When prompted, enter your email and password as you usually would. You will see a message that your password has been reset. Check your email for further instructions.

Was any credit card information accessed?

-No. We do not store credit card information in our database.

Who can I contact with questions?

-Please submit questions to support@uservoice.com.

Posted May 09, 2016 - 20:02 EDT

Resolved
In late April, the UserVoice security team learned that an unauthorized party illegally accessed one of UserVoice’s backend reporting systems and was able to view user data on a small subset of users. The user data includes name, email, and a hashed password and salt. Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak. As such, we’re resetting the passwords for all users in our database.

We will publish a full Post Mortem momentarily with how users and admins were impacted, what steps you need to take, and common questions.
Posted May 09, 2016 - 20:00 EDT