The company was set up in 1997 and claims to have "2.6 million active customer employee users in over 190 countries".
PageUp has changed its story a few times since the initial announcement of the breach on 6 June.
The company initially said the breach was due to a malware infection. But a statement on 12 June said: "Advanced methods were used to gain unauthorised access to PageUp’s IT systems in Australia, Singapore and the UK."
|
In its latest statement, issued on Sunday, the company said: "For those employees who currently or previously had access to your PageUp instance, current password data is protected using the robust password hashing algorithm, bcrypt, which includes salts, and therefore is considered to be of very low risk to individuals.
"However, failed login attempt data from 2007 and before contained a very small amount of password data in clear text. If employees have not changed their password information since 2007, it would be prudent to do this now and anywhere where they may have used the same password."
Among PageUp's clients in Australia are the Commonwealth Bank. the Australian Broadcasting Corporation, Telstra, NAB, Coles, Aldi, Medibank, Australia Post, Target, Reserve Bank of Australia, Officeworks, Kmart, Linfox, AMP, Asahi, Sony, Newcrest, the University of Tasmania and Lindt.
Several companies have stopped using PageUp People's site altogether, among them Monash University.
The breach was noticed on 23 May and five days later investigations showed that client data may have been compromised.
PageUp People's website is hosted by Amazon and appears to run on Microsoft's IIS Web server. There have been many cases where data was left unsecured in AWS buckets and leaked as a result, though this may not have happened in PageUp's case.