TaskRabbit, the Ikea-backed business that provides handy persons for hire, appears as the victim of a cyber attack. The site remained down for at least 24 hours, with few details emerging. The TaskRabbit data breach astounded both the company and its clients.

Customers received an email from the service yesterday. Today, that content remains available on TaskRabbit’s website. In summary, the essence of the message is that the company is investigating a data breach. Its app and website are offline; and users should change their passwords if they’ve used the same one on other websites.

The TaskRabbit data breach

As news of the incident broke on Monday, confusion over the details sprang up. Gizmodo reported, “On Twitter, TaskRabbit referred to the incident as a ‘technical issue,’ but TaskRabbit users were told by email the company was investigating a ‘cybersecurity incident.”

Although the company did not state the exact number of customers impacted by the attack, an anonymous source reported that as many as 35% of users may have been affected.

*Article update:

Social security numbers and bank account numbers among contract employees may have seen compromise amidst the data breach. In addition, the company ultimately determined that bad actors launched a credential stuffing attack, meaning that existing sets of exposed data were electronically pitted against different website login portals to access accounts.

TaskRabbit states that, “out of an abundance of caution,” the company has reset passwords for a number of TaskRabbit accounts. All users who had not logged in since the first of May 2020 and select other user groups received new passwords. Importantly, TaskRabbit has since pledged to create a more secure login system.

How did TaskRabbit respond?

For individuals affected by the data breach, the company is offering 12 months of complementary identity monitoring and/or restoration services.

How can users ensure cyber safety after this type of data breach? 

Individuals should take care to replace their passwords. In addition, it’s best to avoid common passwords, such as 12345, home addresses, birthdays…etc.

What else should people know about the TaskRabbit data breach? 

At least one TaskRabbit account holder claimed on Twitter to have received a phishing email that redirected them to a GitHub site. Daily transaction volumes and employee information appeared on the screen.

Learn more about the TaskRabbit data breach story at Gizmodo.