Cyber Incident Victim: UserVoice
Date:
Apr 2016
Location:
United States of America
Summary
A cyberattack targeted UserVoice's backend administrative system, compromising sensitive data from a small subset of administrator and contributor accounts. The breach exposed customer names, associated emails, weakly encrypted passwords hashed with SHA1, and corresponding salt strings, though no financial information was accessed. The company, serving approximately 10,000 businesses with product management and customer support tools, required all users to reset passwords as a precaution despite the limited scope of impacted accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2016, UserVoice experienced a breach of its backend administrative system, compromising sensitive data from a limited subset of user accounts. The incident impacted approximately 0.001 percent of users with administrator or contributor privileges, exposing their names, email addresses, one-way encrypted passwords, and associated random salt strings. UserVoice disclosed that attackers accessed these credentials through unauthorized entry into the administrative infrastructure. The company acknowledged a critical vulnerability in its security posture: the compromised passwords were hashed using the SHA1 algorithm, which it described as inadequate by contemporary encryption standards. No financial information or transactional data was accessed during the breach. Founded in 2008, UserVoice provided product management and customer support SaaS solutions to around 10,000 business clients, though the breach exclusively affected administrative and contributor accounts rather than general end-users. The intrusion was detected and contained within April, with forensic analysis confirming the limited scope of exfiltrated data.
UserVoice initiated a mandatory password reset for all administrative and contributor accounts following the breach discovery, extending the recommendation as a precautionary measure to its entire user base despite the confined impact. The company issued direct notifications to affected users detailing the compromised data categories while emphasizing that financial systems remained untouched. Internal investigations confirmed the attackers exclusively targeted credential data from privileged accounts, with no evidence of secondary system compromises or persistent access. The disclosure occurred publicly in May 2016 alongside technical specifics regarding the outdated hashing mechanism’s role in exacerbating the breach’s potential severity. UserVoice did not report observable misuse of stolen credentials prior to mitigation efforts but maintained industry-standard account security protocols post-incident to prevent credential-based attacks.