The data breach alerting service Have I Been Pwned (HIBP) has announced that SurveyLama experienced a data breach in February 2024, putting the sensitive data of 4.4 million users at risk.

SurveyLama is an online platform operated by the French company Globe Media, which rewards users for completing surveys. The platform is known for its high payout rates (up to $20), fast payments, and various withdrawal options.

Troy Hunt, the creator of HIBP, stated that he received information about the data breach affecting the service in early February. The breach involved various types of data, including birth dates, email addresses, IP addresses, full names, passwords, phone numbers, and physical addresses.

One of the affected users reported the breach and independently verified it by Hunt. When HIBP contacted SurveyLama to verify the authenticity of the data, the platform confirmed the security incident and stated that they had already notified affected users via email.

The dataset added to HIBP yesterday contains information on 4,426,879 accounts, and affected users should have already received an email notification.

SurveyLama reported that the exposed passwords were stored in salted SHA-1, bcrypt, or argon2 hashes, making them not directly usable in plaintext. However, hashing provides some resistance to cracking, but it is not impervious to brute-force attacks, especially for passwords protected with salted SHA-1, which carries known vulnerabilities.

Hunt mentioned that the compromised data has not been publicly disclosed yet, limiting the current exposure. However, if the dataset falls into the wrong hands, there is a risk of exploitation and potential leakage to the broader cybercrime community.

Therefore, it is essential for SurveyLama account holders to reset their passwords immediately on the platform and on other platforms where they may use the same credentials. Users should remain vigilant and take necessary precautions to protect their personal information.