Hackers attempted to extort the online survey platform QuestionPro after claiming to have stolen the company’s database containing respondents’ personal information.
QuestionPro is an online service allowing businesses to create and conduct surveys to perform market research.
The company told BleepingComputer that they are currently determining whether a data breach occurred and have engaged with law enforcement to investigate the incident.
However, the company did confirm that they suffered an extortion attempt, which was ignored, where a threat actor demanded a bitcoin payment not to release the data.
QuestionPro said that customers will be alerted of a data theft incident if it is determined that a data breach occurred.
Database contains 22 million unique emails
BleepingComputer learned of this incident last week from Troy Hunt, the owner of the Have I Been Pwned data breach notification service, after being contacted by a threat actor known as ‘pompompurin,’ who claimed to have stolen QuestionPro’s database.
The threat actor has been involved in other high-profile breaches, including sending fake cyberattack emails through the FBI’s Law Enforcement Enterprise Portal (LEEP) and stealing customer data from Robinhood.
Pompompurin initially told BleepingComputer that they downloaded the database on May 21st and reported the unsecured database on May 23rd but did not demand a ransom. However, it was revealed later that another threat actor involved in the incident attempted to extort QuestionPro.
Hunt, who examined the allegedly stolen database, said it contains records for approximately 22 million unique email addresses.
While it is impossible to verify the database’s authenticity, Hunt says that it contains hundreds of thousands of entries using @questionpro.com email addresses, indicating that the data is likely affiliated with the service.
The data records shared with Have I Been Pwned include email addresses, IP addresses, geographic locations, and other survey-related information.
Listed on HIBP as “unverified”
Hunt said that he would add the data as an “unverified” breach to the HIBP, where users can check to see if their email address was exposed in the database.
“My commitment to subscribers is to let them know if I find their data in a breach and right now, verified or not, I’m sitting on their data and would like to notify them,” Hunt told BleepingComputer.
If you are a subscribe to Have I Been Pwned notification service, and your email is listed in the database, you will automatically be notified.
For those who have not signed up for email notifications, you can visit the site and enter your email address to check what data breaches your information has been exposed.
While the data breach has not been confirmed, if you have used QuestionPro in the past, you should err on the side of caution and be on the lookout for targeted phishing emails.