A security lapse on Blind, an anonymous workplace platform branded as a way for employees to flag improper behavior, temporarily exposed sensitive user data, TechCrunch reported Thursday. While the company said it deleted the data stored on one of its servers after being alerted to the issue, the lapse may have left exposed users’ personal information, including corporate email addresses, for weeks.
The company told Gizmodo that it estimates around 10 percent of its users were affected.
Blind’s data was first discovered by a security researcher who goes by the name Mossab H, according to TechCrunch. The researcher reportedly shared access to the data with reporter Zack Whittaker, who in turn notified Blind this Wednesday. The company said afterward that it immediately deleted the data.
The percentage of Blind users affected in the incident was calculated, the company said, based on the number of users who had logged in or created profiles between Nov. 1 and Dec. 19. A spokesperson would not divulge the company’s total number of users, telling Gizmodo that it was privileged information.
The company said by email and during a phone conversation that the exposed data had been transferred to a test environment related to improving a troubleshooting program. Under “normal” circumstances, it said, any test data would have been “immediately deleted or encrypted” after such a transfer. With regard to the stored passwords, the company said that its actual service relied on newer, more secure algorithms.
Kyum Kim, head of U.S. operations at Teamblind, told Gizmodo that the temporary logs were not representative of how the company stores data “or our database.”
“It was our mistake to decide to store them, for whatever purpose, and not taking enough caution to protect them. We deleted all data immediately after we found out,” Kim said. “Our policy has always been to make sure even we can’t identify the users, and for over 90 percent of the users who have not been affected, that remains the same and their email has never existed anywhere in our database. And it is true that we cannot identify anyone even with full access to our servers.”
Upon learning of the problem, Blind reportedly began notifying its affected users via push notifications.
The company is still reviewing logs to see who—if anyone unauthorized beyond Whittaker and his source—accessed the data, Kim said. At the time of writing, no malicious activity had been detected.
According to Whittaker, the data was exposed due to an unsecured dashboard tool used by companies to visualize internal documents and data. While email addresses were stored in plaintext, passwords were reportedly stored using the outdated hash function MD5, an algorithm for scrambling passwords considered insecure for decades. Whittaker confirmed to Gizmodo that he successfully unscrambled several passwords using a tool on the website Crackstation.
“The data that was exposed does not represent how we store data or our database,” Kim told Gizmodo. “We don’t store plain text emails on our database. And we don’t use MD5 encryption for any data that is stored in our database.”
The company added that the digital tokens reportedly discovered in the data were linked to a third-party security solution, telling Gizmodo it is “100 percent sure they have no relation to login or access to the accounts, thus are not access tokens.”