Cyber Incident Victim: Typeform

On June 27, 2018, at 14:00 Central European Time, Typeform employees detected unauthorized access to a server containing a customer data backup file. The Barcelona-based online survey provider confirmed an attacker exploited an undisclosed vulnerability to download this backup, which included information collected through customer surveys and forms up to May 3, 2018. Within thirty minutes of discovery, the company secured the compromised server and remediated the security flaw. Typeform delayed public disclosure until late Friday, June 29—two days after detection—limiting immediate media response due to weekend staffing constraints. The breach notification clarified that stolen records did not contain user passwords or payment card details, though it encompassed sensitive respondent information submitted through Typeform-powered questionnaires. Impacted customers received direct email notifications, indicating the backup file did not contain all client data but selectively affected certain accounts.

The incident exposed information from high-profile organizations using Typeform's services, including Apple, Uber, Airbnb, Nike, Trello, and Forbes. Subsequent disclosures revealed specific consequences, such as payment provider Monzo reporting compromise of survey data for approximately 20,000 users. Typeform characterized the breach as contained following the server's rapid isolation but did not disclose forensic details regarding the attacker's identity, intrusion methodology beyond the initial vulnerability exploitation, or total affected records. This marked the third major data security incident reported that week, following breaches at Ticketmaster and Adidas. The company's communication emphasized the exclusion of financial credentials from exfiltrated data while acknowledging exposure of customer-collected survey responses through its platform.