On Monday, May 14th 2018 at 16:37 CEST, we discovered a defect in our error logging system which enabled the passwords of a very small number of Hotjar user accounts to be accessible by engineers with access rights to our log data. The passwords were not available in a searchable format and the log data was not downloadable.
The issue was resolved at 19:57 CEST and we are confident that there was no breach or misuse of data. Hotjar was not hacked or compromised and your site and site visitors were not impacted in any way.
Privacy and security is very important to us, and since we are unable to identify exactly who was impacted, we are asking all users to consider changing their Hotjar user password.
How did this happen?
We store passwords of Hotjar user accounts in a fully encrypted (salted and hashed) form in order to authenticate users when they log in to their account. Passwords are encrypted using a cryptographic hash function ensuring that nobody (including our engineers) can retrieve the original passwords.
During a routine investigation, we discovered a defect which made a very small number of Hotjar user account passwords accessible to engineers in our error logging system used to debug and solve issues. The passwords were stored fully encrypted but were available unencrypted to engineers accessing the logging system via secure authentication.
On Monday, 14th May 2018 at 19:57 CEST, our engineers fixed the defect. All relevant data logs which contained a password have now been permanently deleted.
Who did this affect?
Visitors on sites where the Hotjar script is installed were not impacted in any way. Hotjar does not collect any password data from your visitors and users. This incident is related only to Hotjar user account passwords.
Passwords were stored in our logging system only when the following 3 conditions were met:
- A Hotjar user entered their password on a form on insights.hotjar.com (for example when confirming they wish to delete their account or changing their password).
- An error occurred when processing the request.
- The error was severe enough to be logged.
Based on our estimates this would have happened to roughly 0.5% of our user base. Our engineers investigated the logging system defect in depth and have found no evidence that the stored passwords associated to this defect were misused in any way.
Who had access to the data?
Although these passwords were present within the error logs, Hotjar has clear security policies in place to prevent any unauthorised access or use of the data. Additionally, the passwords were not available in a searchable format and the log data was not downloadable.
What actions should Hotjar users take?
Although we are confident that the stored passwords associated with this defect were not misused, out of an abundance of caution, we recommend that you:
- Consider changing your Hotjar account password;
- If you are using your Hotjar account password on other services you should consider changing these passwords as well.
What are we doing to ensure this doesn’t happen again?
Our engineers performed a thorough audit of our logging systems. After an investigation, our engineers discovered a few more isolated cases of personal data (specifically, email addresses and IPs) being stored in our error logging system. To ensure no sensitive data can ever be stored again, our engineers introduced a new intermediary layer which automatically retracts any possible sensitive data (such as passwords, emails, IPs, credit card numbers and account IDs) before it reaches any of our error logging systems. Additionally, as a precaution, all data stored in our error logging systems was completely erased.
Hotjar is also committing to introduce Multi Factor Authentication for Hotjar account access.