This weekend we discovered and plugged a potential security hole in our product. Using our API, anyone with the fairly advanced and specific technical knowledge could have pulled email addresses, usernames, and associated ideas of end-users who had commented or created ideas from any public UserVoice subdomain (private forums and accounts were unaffected) and Admins during the last two months. About 30% of profiles were vulnerable. Passwords remain totally secure.
We are not aware of anyone exploiting this issue, and we have no reason to believe they have. However, transparency is one of our company values and is extremely important to us. This was something that we felt we should communicate to you.
The security of your data and your customers’ data is of the utmost importance to us, and we’re extremely upset that this ever occurred. We’re thankful that no one seems to have taken advantage of it, and we’ll be taking this as a wake up call to be much more aware of our security. I’m aware that none of this makes the situation any less unfortunate, but I want to be clear to you: we’re taking this very seriously.
If you have absolutely any questions, please let us know – our Customer Team is standing by.
Thanks for your understanding and patronage,
Community Manager, UserVoice