Description of Security Breach
We identified that backups containing data collected through our apps may have been accessible to unauthorized users. We responded immediately and fixed the source of the breach to prevent any further intrusion.
Who is affected?
- Users who downloaded an export of their form data from their POWR Response Dashboard anytime between February 22, 2018 and December 30, 2019.
- Users who accepted file attachments from their end-users through our forms anytime before December 30, 2019.
What data was compromised?
The following data may have been accessible to unauthorized users:
- Data that was exported by CSV/XLS from POWR form or payment apps
- Files that were uploaded by your end-users to a POWR form using the File Upload option
What data is safe (i.e. not compromised by this incident)?
- If you collected payments via our PayPal or Stripe integration, all of your audience’s credit card numbers are safe.
- Your POWR Account and Subscription payment info is safe and secure (credit card, address, phone number, email address, any other details you may have added to your POWR account info page).
- Your POWR password (or integration with platforms such as Wix, Shopify, and others) is safe.
- The data you have collected since December 30, 2019.
- Data collected before December 30, 2019 not exported by CSV/XLS and data not collected through File Upload.
- All data that is only stored in our database and not backed up to AWS S3.
What do I need to do?
If you collected names and email data through your forms or received sensitive details in file attachments through any of your POWR apps, you might want to let your customers know about the breach. We prepared a template for you to use as part of your communication strategy:
We just received a message that POWR had a data breach, which affected one (or more) of our forms used to collect information. POWR reports that information was potentially accessible to unauthorized users, but currently has no reason to believe malicious agents have accessed data. The good news is that POWR responded immediately and fixed the source of the breach to prevent any further intrusion.
In the event that your name and email was downloaded by a malicious user, we recommend that you watch out for potential phishing scams, or spam emails. Any payment details collected through PayPal or Stripe are safe and secure.
If you have any other questions, feel free to contact us.
You may also find the following links helpful:
- Users in the EU: What is a data breach and what do we have to do in case of a data breach?
- Users in the US: Security Breach Notification Laws
Please note that each state and/or country has their own laws on how security breaches need to be communicated to users. Please make sure you understand which law applies to you and reach to our customer support team if you have questions. Although we cannot offer any legal advice on the situation, we're happy to help point you in the right direction.
Can I trust POWR with my data moving forward?
At this time we have no reason to believe that malicious users have accessed data, however we are taking all precautions and notifying users that might be affected. Additional logging and security measures are also underway to prevent this and any similar incidents from occurring in the future.
Security is a top concern at POWR. If you have any questions, please contact our support team for help.