Most importantly none of your user data was compromised or made available publicly by any third party. That means you do not need to do anything and this mail is just for your information as we take data security extremely seriously.
A faulty version of StudySmarter prevented our built-in security features allowing users to access more data than they are allowed by us. The problem was fixed by our development team within less than one hour and no data has been compromised or made available to the public. You do not need to do anything and can continue learning on StudySmarter as usual.
What happened exactly?
On the 16th of November, a faulty version of our StudySmarter learning software was rolled out to our users. It disabled a built-in security feature that prevents users from accessing data they should not have access to.
On the 22nd of November, a security researcher of the German collective “Zerforschung” found the security flaw and tested to access the data of multiple users. The researcher notified us on the 24th of November. Thanks to our existing security protocols, we were able to fix the issue just 41 minutes after receiving the message.
After this fix, we investigated which users were affected by the breach and if any of the data was compromised. Fortunately it turned out that only the researcher used the data leak, and that no data was compromised. After talking to Zerforschung, they assured us that all users’ data has already been deleted and not used for any nefarious purposes.
What does that mean for you?
Fortunately not that much. None of your data has been compromised or available to the public, nevertheless we think it is important to be transparent about this incident. There is no action you need to take.
What does it mean for us?
The security of your data is our main concern. You trust us with your study process and your materials, and we don’t take this responsibility lightly. That’s why we have always put strong emphasis on data security at StudySmarter. For instance just one month before the issue, we have completed a thorough penetration-test of our whole application.
However in light of this development we are taking additional steps to ensure this will never happen again and that your data remains safe.
- From now on we will run pentests on at least a monthly interval. By collaborating with external agencies we can ensure that we can identify and fix any securities issues before any third party notices them.
- We will shortly introduce a StudySmarter bug bounty program, paying rewards to any individuals identifying security shortfalls in our application. This allows us to involve our users like you in guaranteeing the security of StudySmarter.
- We have already introduced new development processes like additional review loops for security critical code and expanded our automatic testing to all areas of permission management.
As a result, we have tightened the security level of our application to a new standard, to ensure that this never happens again.
Thank you for your trust and we wish you great success in your future exams!
Your StudySmarter Team