Notice of Data Breach

Last updated Feb 26 2019

 At ShareThis, protecting the security of the information in our possession is a responsibility we take very seriously. We are providing notice of a data security incident that may have exposed information related to some users. This notice explains the incident and steps ShareThis has undertaken to address it.

What Happened?

On February 11, 2019, ShareThis became aware that it suffered a data security incident when it was informed that The Register published a story indicating that 16 companies, including ShareThis, were the victims of a data theft. We can tell from our initial investigations that email addresses, hashed passwords and some birth dates were impacted.  The incident, unfortunately, only came to light when The Register reported that the hacker posted the data for sale on the dark web.

What Information Was Involved?

Although our investigation is ongoing, we believe that the incident occurred in or prior to July 2018 and your name, emails, dates of birth, and hashed passwords may have been acquired by an unauthorized person or persons. Please note that we have no indication that passwords have been used by the hacker or other unauthorized individual. As a result, your personal data may have been compromised.

What We Are Doing.

We value individuals’ privacy and deeply regret that this incident occurred.  ShareThis has deactivated ShareThis accounts potentially associated with this incident.  We are reviewing our internal systems and are in the process of working with forensic and data security experts to review this incident and to identify any additional measures we can take to further bolster our security.    

How Will Individuals Know if They Are Affected?

ShareThis is sending emails to all individuals whose hashed password or date of birth is affected.  

What Individuals Can Do.

ShareThis has already deactivated the ShareThis accounts potentially associated with this incident, so if you created an account prior to January 2017, you may no longer be able to log in. However, we recommend that impacted individuals change passwords for any other accounts for which they use the same or similar email address or password and take other appropriate steps to protect online accounts.  We also encourage individuals to be cautious of spam or other phishing emails, including those that solicit personal data. You can also review the Steps You Can Take to Protect Your Personal Information below.

Steps You Can Take to Protect Your Personal Information

Maintaining the integrity of confidential information is extremely important to us. We sincerely apologize for any inconvenience this incident may have caused.  We are continuing to investigate this matter and will take appropriate action to prevent future similar incidents.

For More Information.

Individuals with questions about this incident, as well as those who would like to know if they are affected, can email us at inquiries@sharethis.com.

Other Steps Individuals Can Take to Protect Their Information

Monitor Your Accounts.

Although we have no reason to believe any financial information was impacted by this incident, we encourage individuals to remain vigilant, to review account statements, and to monitor credit reports for suspicious activity to help protect against possible identity theft or other financial loss for any source.

Credit Reports.

Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus.  If individuals would like to order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228.  Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report.

Security Freeze.

Individuals have the right to place a “security freeze” on their credit reports, which will prohibit a consumer reporting agency from releasing information without their express authorization.  The security freeze is designed to prevent credit, loans, and services from being approved in an individual’s name without their consent. However, individuals should be aware that using a security freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application made regarding a new loan, credit, mortgage, or any other account involving the extension of credit.  Pursuant to federal law, individuals cannot be charged to place or lift a security freeze on their credit reports. Should individuals wish to place a security freeze, they may contact the major consumer reporting agencies listed below: 

ExperianPO Box 9554Allen, TX 750131-888-397-3742www.experian.com/freeze/center.htmlTransUnionP.O. Box 2000Chester, PA 190161-800-909-8872www.transunion.com/credit-freezeEquifaxPO Box 105788Atlanta, GA 30348-57881-800-685-1111www.equifax.com/personal/credit-report-services

 In order to request a security freeze, individuals will need to supply the following information: 

  1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. If an individual has moved in the past five (5) years, provide the addresses where they have lived

over the prior five years;

  1. Proof of current address, such as a current utility bill or telephone bill;
  2. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);
  3. If an individual is a victim of identity theft, include a copy of either the police report, investigative

report, or complaint to a law enforcement agency concerning identity theft. To remove the security freeze, an individual must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided when the security freeze was placed.  The credit bureaus have three (3) business days after receiving a request to remove the security freeze. As an alternative to a security freeze, individuals have the right to place an initial or extended “fraud alert” on their file at no cost.  An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit.  If an individual is the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should an individual wish to place a fraud alert, they may contact any one of the agencies listed below: 

ExperianP.O. Box 2002Allen, TX 750131-888-397-3742www.experian.com/fraud/center.htmlTransUnionP.O. Box 2000Chester, PA 191061-800-680-7289www.transunion.com/fraud-victim-resource/place-fraud-alertEquifaxP.O. Box 105069Atlanta, GA 303481-888-766-0008www.equifax.com/personal/credit-report-services

Additional Information.

Individuals can further educate themselves regarding identity theft, and the steps they can take to protect themselves, by contacting their state Attorney General or the Federal Trade Commission.  The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.  Instances of known or suspected identity theft should be reported to law enforcement, the state Attorney General, and the FTC. Individuals can also further educate themselves about placing a fraud alert or security freeze on their credit files by contacting the FTC or their state’s Attorney General.  This notice has not been delayed by law enforcement.   For Rhode Island Residents: The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, individuals have the right to obtain any police report filed in regard to this incident.  The number of Rhode Island residents impacted by this event is unable to be determined.