Cybersecurity and Surveys

Everyone’s a target-even survey collecting companies

by Charles Parker

Occasionally people receive in their email a link to complete a survey through the

various companies. This is not unusual. Some don’t pay but donate the money to a charity while

others pay the respondent directly.

These companies may not be at the top of the target list, but still are viable. SurveyLama

found out the hard way they are still a target full of wonderful data when they reported their

compromise earlier this year. SurveyLama pays their registered users to complete surveys. Te

business model is not complex. The company pays quickly and allows the respondent to

withdraw during the survey.

Compromises come in different sizes, from a segment to an entire company’s servers

and data. With this incident, the bad actors were able to access and exfiltrate the user’s phone

numbers, email addresses, IP addresses, full names, passwords, date of birth, and physical

address. What makes this more fun is the inclusion of IP addresses. The other information,

however, is very useful for direct and indirect purposes. All of this data was for 4,426,879 users.

On the bright side, the passwords were salted and hashed with SHA-1, bcrypt, or argon2.

Without this, there could have been more problems.

About the author-

Charles Parker II has been working in the info sec field for over a decade, in the banking,

 medical, automotive, and staffing industries. Charles has matriculated and attained the MBA,

 MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security

 (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and

 SCADA.