On Monday we learnt that Typeform, a popular service we’ve used to create some of our online forms, has suffered a significant data security breach.

Many 80,000 Hours users have completed one or more of these forms, and a subset of their form responses were among the information that was stolen from Typeform.

Was your data affected? Today we are emailing all 80,000 Hours users whose data was included in this breach. The email will be sent from [email protected] with the subject line: “Your personal data is affected by the Typeform data breach”. If you do not receive this email by Friday July 6th, this means that any personal data you have submitted to us was not included in the breach.

What user data was affected?

We have analysed a copy of the information that was stolen. Data from 18 forms was accessed and up to 8300 individuals were affected. A summary of the personal data affected is below:

Data category Maximum individuals affected Name and email address 4271 Email address 4029 Information regarding career plans 1,278 University affiliation 770 Mobile phone number 749

The stolen data did not include: financial data (e.g. credit card information); any file attachments that users uploaded (e.g. curriculum vitae / résumé); or any form responses submitted after May 3rd 2018.

This happened because attackers found a weakness in Typeform’s security

Attackers managed to gain access to data backups for a subset of Typeform submissions that were collected before May 3rd 2018. Those backups contained the information that people submitted via these forms, including the data we mentioned above.

The Typeform data breach affects many organisations

Typeform is a widely used service, and it seems like this data breach affects thousands of organisations and millions of individuals.

80,000 Hours’ response

We take protecting personal data extremely seriously, and we are very sorry that our users have been affected by this incident.

When we discovered this incident, we immediately began a thorough investigation. Since then we have notified relevant authorities including the UK Information Commissioner’s Office, which is now investigating the breach.

Typeform have assured us that they have now secured their systems and taken steps to avoid similar incidents in the future. Nonetheless, we are now reviewing whether to continue using Typeform. We have strict criteria for selecting third party service providers and we conduct regular data security assessments. We are disappointed that these measures were not sufficient to protect user data in this instance, and we will review them in light of this.

If you have any questions about this incident, please write to [email protected].