No Data Was Compromised
Most importantly, none of your user data was compromised or made publicly available by any third party. This means that you do not need to do anything, and this post is just for your information as we take data security extremely seriously.
On the 16th of November 2021, a faulty version of our Vaia learning software was rolled out to our users. It disabled a built-in security feature that prevents users from accessing data they should not have access to.
A week later, on 22 November, a security researcher from the German collective Zerforschung found the security flaw and conducted a test to see if they could access the data of multiple users. The researcher notified us on 24 November. Thanks to our existing security protocols, we could fix the issue just 41 minutes after receiving the message.
After this fix, we investigated which users were affected by the breach and if any of the data was compromised. Fortunately, it turned out that only the researcher used the data leak and no data was compromised. After talking to Zerforschung, they assured us that all users’ data has already been deleted and cannot be used for nefarious purposes.
What Does This Mean for You?
Fortunately, not that much 😁. None of your data has been compromised or made available to the public. Nevertheless, we think it is essential to be transparent about this incident. There is no action you need to take.
What Does This Mean for Us?
The security of your data is our main concern. You trust us with your study process and your materials, and we don’t take this responsibility lightly. That’s why we have always put a strong emphasis on data security at Vaia. For instance, just one month before the issue, we completed a thorough penetration test of our whole application.
However, in light of this development, we are taking the following additional steps to ensure this will never happen again and that your data remains safe:
- From now on, we will run monthly pentests. By collaborating with external agencies, we can ensure that we are able to identify and fix any security issues before any third party notices them.
- We will introduce a Vaia bug-bounty program, paying rewards to any individuals identifying security shortfalls in our application. This allows us to involve our users (like you) in guaranteeing the security of Vaia.
- We have already introduced new development processes, like additional review loops for security-critical code, and expanded our automatic testing to all areas of permission management.
As a result, we have an even higher standard of security to ensure that this never happens again.
Thank you for your trust, and we wish you great success in your future exams!
Your Vaia Team