Hello, we’re contacting you because an email address of yours has been leaked online. We have undertaken an investigation into this and wish to inform you of this activity and steps we have undertaken at Loomio.

What is the issue?

We’ve been made aware that a list of Loomio user email addresses from April 2016 has been shared via the dark web and some illegal online services.

How did we find out?

On 2024-03-01 we were contacted by a number of Loomio users saying Google had notified them that their email address was associated with a data breach of loomio.org available on the dark web.

What did our investigation find?

We have discovered that a dataset named ’loomio.org’ was listed as part of a larger collection of stolen data, which news media have called The Mother of All Breaches.

On 2024-03-25, we obtained access to the leaked dataset and were able to conduct research about what it contained.

Following this we’ve confirmed that this dataset is a list of Loomio user email addresses registered before 2016-04-19 11:37 UTC. Information obtained shows this has been circulating the dark web since 2017-11-06.

In its entirety, the leaked dataset contains two columns and 118,971 rows. The columns are called email and password – however the values contained are not real passwords, they’re bcrypt password hashes. Bcrypt is a method of storing passwords so that in the event of a leak, they cannot be read.

This means that the only usable information in the leak is the email addresses. We want to be clear that that leak did not include names, credit card information, group data, discussions, comments or decisions – only email addresses and encrypted passwords.

How did the data leak?

At this stage, we cannot say for sure. Because the data is from 2016, there is very little information available for us to audit. In October 2023 we migrated from our hosting provider at the time (Heroku) to DigitalOcean. There are no logs or metadata remaining on Heroku or from that time. We are continuing to investigate.

What is the current situation?

We have confidence in the security of our service, and we have conducted a full review of our current systems and processes.

What do I need to do?

It is not possible to decrypt the passwords contained in this leak, however we’ve taken the precautionary step of deleting your password from your user account. The default method of sign in on Loomio is via email, so no password is required. Should you want to access Loomio via password, you will need to reset it first.

We use industry-best practices to run Loomio services, and have strong agreements in place with our hosting providers. If we receive any more information about this we will let you know.

We want to apologize to you for this breach of your privacy and assure you that we are doing everything we can to understand what happened and what actions we need to take.

Sincerely,
The Loomio team