On the 8th of July 2019 at 14:32 CET / 08:32 EST, our engineers identified a defect in one of our error logging systems. This issue resulted in the email address and password of a very small number of Hotjar accounts to be temporarily stored in plain text in our logs. The data was not available in a searchable format, nor was it downloadable, and it has now been fully deleted.
What effect does this issue have on my data?
Hotjar has NOT been hacked or compromised in any way and this issue does not have any impact on your data. Out of an abundance of caution, you may wish to consider changing your Hotjar password.
What impact does this issue have on my site?
This issue has no impact on your site.
Why did this issue occur?
When you set a password for your Hotjar account, we use technology that masks it so no one within the Hotjar team can see it. What we discovered with this incident was that there was a short window of time during our deploy process where, in the instance where one of our servers was down - and a user attempted to log in, one of our application error logs unintentionally included the email and password for a small number of users.
Based on our estimates this would have happened to roughly 0.07% of our user base.
We have now completed work to prevent this error from being sent with the sensitive information and after thorough internal checks, have found no evidence that any of this information was misused in any way. All sensitive data related to this incident has now been fully deleted.
At Hotjar we pride ourselves on being open and transparent with our customers regarding their data. We have had a full internal investigation into this incident and we continue to commit to improving our logging and security to ensure we prevent issues like this from recurring in the future.