UserVoice Security Incident

The phrasing of the email didn&#x27;t really help to clarify matters:<p>&gt; &quot;UserVoice has confirmed that about 0.001% of users&#x27; encrypted passwords were taken, and we are notifying those users directly. We are notifying you because you are listed as an administrator of your UserVoice account, and we want to inform you of steps we are taking to protect your and your team’s information.&quot;<p>Does that mean you&#x27;re notifying me that my details were taken, or that this is just a friendly &quot;hey, we got hacked&quot; message?

Yikes. Curious around details, how did they get access to backend systems?

From the email referenced in the report:<p>&gt; We learned that in some cases, the attacker was able to perform a series of steps that allowed them to gain access to customer names, usernames, and encrypted passwords. Despite the fact that the passwords were encrypted, it is very possible that an attacker can decrypt this information.<p>This is worrisome to say the least. I understand recommending people change passwords when the hashes are encrypted, even if the encryption was properly implemented. But if that was the case, there would still be no expectation that the passwords could be &quot;decrypted&quot;. Seems to suggest UserVoice is not handling password storage in a secure manner.