In July, we were made aware that limited customer data may have been improperly accessed. We took immediate action to contain and remediate the issue. We also retained external security experts to assist in our active investigation into the issue. We also posted a statement on our Help Center and Corporate site, and posted on social media to alert users. We also have been sending emails directly to our users to let them know about this matter.
What type of information was exposed?
The investigation, to date, indicates that the following types of information may have been involved:
- Email address
- Date of birth and gender (if provided)
- IP address upon sign up, if signed up before 2017
- Profile display name and any information which you may have made public in the “about” or “status” fields of your profile, if you chose to use these, and account status for a very limited number of users
- Account name and salted and cryptographically hashed passwords
- Any third-party account IDs, such as Google or Facebook. Passwords associated with third-party accounts are not stored on our systems and are unaffected.
We want to stress that Wattpad does not store plain text passwords; all Wattpad passwords are encrypted. User stories, purchased stories and chapters, private messages, financial and payment information, and phone numbers were NOT part of this incident.
Was any financial information accessed? What about financial information to process payments for Paid Stories?
We do not store financial information on the affected system, so no financial information was accessed as a result of this incident. Paid Stories purchases are processed through third-party vendors and were also not part of this incident.
Is there any potential impact on users?
Given the type of information that we have about our users, we think it’s unlikely that this will meaningfully affect our users. Wattpad does not store plain text passwords, and Wattpad passwords use encryption. However, out of an abundance of caution, we are enhancing our password requirements for all accounts and asking our users to change their passwords.
User stories, purchased stories and chapters, private messages, and phone numbers were NOT part of this incident. Additionally, our investigation has not identified any signs that financial or payment information was involved. Wattpad does not maintain financial information on the affected system. Paid Stories purchases are processed through third-party vendors that were not part of this incident.
Is it safe for users to continue using their accounts?
Yes. Out of an abundance of caution, we are suggesting that our users change their passwords, however, there is currently no evidence to suggest individual user accounts have been improperly accessed due to this issue. If you changed your password after July 21, you do not need to change your password again.
What can users do to protect accounts?
Although we use encryption to store passwords, as a precaution, we are enhancing standards required for passwords on our platform and recommending users change their passwords on Wattpad and any other third-party accounts where they use the same passwords. If you changed your Wattpad password after July 21, you do not need to change your password again.
Why did Wattpad reset passwords?
Encrypted passwords were accessed as part of this incident. As a precaution, and as is common in these situations, we are recommending users change their passwords and advising users to change passwords on other sites where they used the same passwords. The plain text data was encrypted and not visible; however, because the security of our users is a top priority we felt it was important to proactively inform our users and prompt them to change their passwords out of an abundance of caution. If you changed your password after July 21, you do not need to change your password again.
Should users also reset passwords for their other accounts?
As a matter of practice, users should change passwords on a regular basis, not use the same password more than once, and use a password manager. In line with practicing password hygiene, we recommend users change their passwords on other sites they may have re-used the same password that they used on our platform.
Has this issue been resolved? What has Wattpad done to fix it?
As soon as this incident was discovered, our teams worked urgently to identify, contain, and remediate the issue and perform an extensive security investigation. We also engaged third- party security experts to run a forensic security audit. While our investigation continues, we will be reviewing ways in which we can bolster the security of our corporate infrastructure technology to help protect against similar incidents in the future.
Has Wattpad reported this incident to law enforcement?
Yes, as the security of our community and user data is our highest priority, we notified law enforcement. We have also engaged third-party security experts to assist in our investigation.
Why didn’t Wattpad tell users sooner?
Once we became aware that there might be an issue, we immediately began investigating and have been urgently working to understand the depth of this security incident. At the same time, our team members were working to confirm that our systems and user data was secured. Containing and remediating the incident were a matter of foremost priority. In July, we posted a statement on our Help Center and Corporate site, and posted on social media to alert users. We also have been sending emails directly to our users to let them know about this matter.