lovedomains
Established Member
- Impact
- 187
When you set a password for your Hotjar account, we use technology that masks it so no one within the Hotjar team can see it. On Monday, May 14th 2018 at 16:37 CEST we identified a defect in our error logging system which enabled the passwords of a very small number of Hotjar user accounts to be accessible by engineers with secure access to our error logs. The passwords were not available in a searchable format and the log data was not downloadable.
We have fixed the issue, and our investigations confirm no indication of any breach or misuse.
The defect occurred only when all of the following conditions were met:
A Hotjar user entered their password on a form on https://insights.hotjar.com (for example when confirming they wish to delete their account or changing their password).
An error occurred when processing the request.
The error was severe enough to be logged.
Based on our estimates this would have happened to roughly 0.5% of our user base. Our engineers investigated the logging system defect in depth and have found no evidence that the stored passwords were misused in any way.
To be clear, Hotjar has NOT been hacked or compromised in any way.
Out of an abundance of caution, we ask that you consider changing the password to your Hotjar account. If you are using your Hotjar account password on other services you should consider changing these passwords as well. We do recommend against using the same password for multiple online services and tools.
At Hotjar we pride ourselves on being open and transparent with our users. As soon as we became aware of the issue we launched an internal investigation. The results of the investigation have been published in an incident report and with this email we are informing all Hotjar users.
In light of this incident, Hotjar is committing to introduce multi factor authentication for Hotjar account access.
We wholeheartedly thank you for your understanding, and recognize and appreciate the trust you place in us. We are committed to earning that trust every day.
We have fixed the issue, and our investigations confirm no indication of any breach or misuse.
The defect occurred only when all of the following conditions were met:
A Hotjar user entered their password on a form on https://insights.hotjar.com (for example when confirming they wish to delete their account or changing their password).
An error occurred when processing the request.
The error was severe enough to be logged.
Based on our estimates this would have happened to roughly 0.5% of our user base. Our engineers investigated the logging system defect in depth and have found no evidence that the stored passwords were misused in any way.
To be clear, Hotjar has NOT been hacked or compromised in any way.
Out of an abundance of caution, we ask that you consider changing the password to your Hotjar account. If you are using your Hotjar account password on other services you should consider changing these passwords as well. We do recommend against using the same password for multiple online services and tools.
At Hotjar we pride ourselves on being open and transparent with our users. As soon as we became aware of the issue we launched an internal investigation. The results of the investigation have been published in an incident report and with this email we are informing all Hotjar users.
In light of this incident, Hotjar is committing to introduce multi factor authentication for Hotjar account access.
We wholeheartedly thank you for your understanding, and recognize and appreciate the trust you place in us. We are committed to earning that trust every day.
