Cyber Incident Victim: QuestionPro

In May 2022, the online survey platform QuestionPro faced an alleged data breach involving unauthorized access to its database. On May 21, a threat actor using the alias 'pompompurin' claimed to have downloaded the company’s database containing survey respondents' information. The actor reported the database as unsecured to QuestionPro two days later on May 23 but did not initially demand payment. Subsequent developments revealed a separate extortion attempt by another threat actor, who demanded a bitcoin ransom to prevent the data’s release. QuestionPro confirmed it ignored the ransom demand and engaged law enforcement to investigate the incident. The company stated it was still determining whether a breach occurred but committed to notifying customers if data theft was confirmed. Pompompurin, known for prior breaches involving the FBI’s Law Enforcement Enterprise Portal and Robinhood, shared samples of the allegedly stolen data with Troy Hunt, founder of the Have I Been Pwned (HIBP) breach notification service.

Hunt analyzed the dataset, which contained approximately 22 million unique email addresses, including hundreds of thousands with QuestionPro-owned domains. The records included email addresses, IP addresses, geographic locations, and survey-related metadata. Though Hunt could not verify the database’s authenticity definitively, the presence of internal QuestionPro email addresses suggested a legitimate connection to the company. Hunt added the data to HIBP as an 'unverified' breach, enabling subscribers to check if their information appeared in the dataset. QuestionPro maintained its position that the breach remained unconfirmed but advised vigilance against potential phishing attacks. The incident highlighted uncertainties in breach validation processes, as third-party services like HIBP proceeded with notifications based on available evidence while the targeted organization continued its investigation.