QuestionPro 2022 Data Breach

QuestionPro Survey Platform Exposure (2022): 22 Million Email Addresses :: Disputed, Some May Be Platform-Generated | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

SurveysEmail AddressIP AddressInterest & Preference DataUser Agent
Low SeverityWebsite / service breach

QuestionPro Survey Platform Exposure (2022): 22 Million Email Addresses :: Disputed, Some May Be Platform-Generated

Survey and research platform.

Verified by ObscureIQ Intelligence
12/100Breach Risk Index
5Data Value
10Market Recency
1361dSince Breach

Breach Intelligence Summary

Entity: QuestionPro · Actor: Unknown · Sources: 2 references
Attack: Unknown
Profile: Platform · Survey and research tools · SaaS data collection platform · Global
Timeline: Breach (2022-05-21) · Indexed (Aug 05, 2022) · Year (2022)
Exposure: 22.2M records · 4 fields: Email Address, IP Address, Interest & Preference Data, User Agent
Status: Unverified

Executive Summary

QuestionPro, a cloud-based survey and research platform serving businesses, academic institutions, and government organizations worldwide, was targeted in an extortion attempt in May 2022. A threat actor claimed to have extracted over 100GB of data from the platform and demanded payment. QuestionPro confirmed it received the extortion demand but did not confirm whether an actual breach had occurred. The dataset, which contained 22 million unique email addresses, was initially flagged as unverified. Subsequent verification by users who recognized their own data led analysts at Have I Been Pwned (HIBP), a service that tracks exposed credentials, to remove that flag. The exposed data includes email addresses, IP addresses, browser user agent strings (technical identifiers that describe a user's device and software), and survey response data generated through platform activity. Some email addresses appear to have been created by the platform itself rather than belonging to real individuals. The survey content is the most sensitive element. Depending on what research was hosted on the platform, responses could reflect health conditions, workplace opinions, political views, or customer sentiment, all tied back to identifiable users. This combination creates real risk for the people whose data appears in the dataset. No confirmed class-action litigation or regulatory enforcement specific to this incident has been documented publicly. Because the authenticity of the data remains disputed and some records may be platform-generated, affected individuals should treat this exposure with caution rather than certainty. Those whose email addresses appear in the dataset face elevated risk of targeted phishing and, if their survey responses were included, potential exposure of sensitive personal opinions or health-related information shared in a research context.

ObscureIQ assessment: Exposure enables phishing, research impersonation, and leakage of sensitive survey content. Depending on the surveys hosted, the breach may also expose health, HR, political, or customer-sentiment data.

Breach Impact

In May 2022 QuestionPro received an extortion demand from a threat actor claiming to have extracted over 100GB of data including 22 million unique email addresses, IP addresses, browser user agents, and survey response data tied to platform users. QuestionPro acknowledged the extortion attempt and engaged cybersecurity investigators. The nature of the exposed data included survey interest and preference data generated through platform activity — records that reflect research participation rather than financial or identity documents. No confirmed class-action litigation or regulatory enforcement specific to this incident has been documented in public sources.

About QuestionPro

QuestionPro is a cloud-based survey and research platform used by businesses, academic institutions, and government organizations to design, distribute, and analyze surveys and data collection instruments. The company is headquartered in Austin, Texas, and serves customers globally across market research, customer experience, workforce analytics, and academic research use cases.

Why They Hold Your Data

Survey and research platforms collect account data, respondent information, survey responses, billing records, and project metadata across data-collection workflows.

Recent Developments

QuestionPro continues to operate as a private SaaS company in the survey and research tools market. No major organizational changes or significant business developments have been prominently reported in the period surrounding the breach.

Data Points Exposed

4 verified field types
Email Address
IP Address
Interest & Preference Data
User Agent

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Preference-targeted phishing
  • Geolocation & account flagging
  • Browser fingerprint reconstruction

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the QuestionPro breach?

QuestionPro, a cloud-based survey and research platform serving businesses, academic institutions, and government organizations worldwide, was targeted in an extortion attempt in May 2022. A threat actor claimed to have extracted over 100GB of data from the platform and demanded payment.…

What data was exposed?

Verified fields include Email Address, IP Address, Interest & Preference Data, User Agent.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation