Paid-to-click Surveys: Your Opinions Don't Matter to Cyber Attackers

Last updated by UpGuard on September 11, 2019

scroll down

Does filling out an online survey in exchange for a few bucks sound too good be true? For ClixSense users, this is turning out to be the case: last week, the leading paid-to-click (PTC) survey firm admitted to a massive data breach involving virtually all of its users' accounts—roughly 6.6 million records in total. With so many giving in to the allure of easy money, PTC firms should be on top of securing privileged data of survey takers they're bankrolling. Let's find out how the top 5 compare when it comes to fulfilling this critical responsibility.

The breach—verified by Troy Hunt, creator of the popular data breach discovery engine Have I been pwned?—was first discovered on a post advertising the leaked data for sale. The complete payload purportedly consists of 6.6 million user records and source code from the website. Some examples of the data compromised include plaintext passwords, IP addresses, user birth dates, emails, payment methods, account balances, and payment histories. 

ClixSense has since issued a public notification explaining what the data breach means for its users:

What does this all mean? Simply put, your ClixSense account information is now much more secure. We did a forced password change as a precautionary measure and many of you have already changed your emails as well. If by chance you have used the same password here as other services (such as your email, Paypal or another PTC, etc..) please make sure you change these passwords too.

Thinking positively about the matter is certainly commendable, but does ClixSense's CSR ratings—as well as its competitors' scores—reflect a heightened state of security and enterprise resilienceLet's take a look at how each websites' perimeter security mechanisms stack up. 

See Target's Security Grade

PTC Company Roundup

It's only fitting that we start with ClixSense—one of the largest and most popular PTC firms and the subject of this latest massive data breach. Launched in 2007, the company also pays users for clicking advertisements and completing offers. Payouts are handled through PayPal, Payza, and Paytoo.

1. ClixSense - 637 out of 950

CSTAR - ClixSense

ClixSense scores an average CSR score of 637 for a number of risky security flaws: Lack of HTTP strict transport security, HttpOnly cookies, and secure cookies could lead to various client-side exploits. Additionally, disabled SPF, DMARC, and DNSSEC leave its servers open to forgery.

2. iPoll - 618 out of 950

CSTAR - iPoll

iPoll—previously known as Surveyhead—offers gift cards, sweepstakes, magazine subscriptions, and PayPal payments in exchange for sharing opinions via online surveys. The website shares many of ClixSense's website perimeter security issues, along with server information leakages such as exposed X-Powered-By Header and ASP Net Version Header information.

3. MySurvey - 638 out of 950

CSTAR - MySurvey

UK-based uses a point-based compensation system for redeeming gift cards, cash coupons, and vouchers in exchange for completing online surveys. The company recently added webcam surveys to its range of money-making activities. 

Don't remove that piece of tape from your webcam yet—various security flaws in MySurvey's website security mechanisms leave it vulnerable to being compromised. Its CSR score of 638 is a result of various security flaws: server information leakage, lack of HttpOnly cookies and secure cookies, and disabled DNSSEC and DMARC, among others.

4. CashCrate - 315 out of 950

CSTAR - CashCrate

If this PTC's name isn't enough to sound off alarm bells, a CSR score of 315 should do the trick. The popular online survey and offer completion website suffers from a myriad of  website perimeter security flaws: lack of DMARC, DNSSEC, secure cookies/HttpOnly cookies, and the like. But unlike the preceding firms' websites, CashCrate lacks sitewide SSL—on top of leaving its server's file sharing ports open. 

5. DollarSurveys- 428 out of 950

CSTAR - DollarSurveys

And Company Name Most Likely to Attract Cybercriminals goes to... okay, it's probably a toss-up between this PTC firm and CashCrate. And like CashCrate, its abysmal CSR score is a result of website perimeter security issues common to most firms on this list plus lack of sitewide SSL.  


Any website or service that promises cash incentives or huge payouts is bound to get barraged by user signups and—invariably—cyber attacks. Unfortunately, the massive ClixSense data breach is likely the first of many to come, if these PTC firms' CSR scores are any indication. An organization's cyber risk posture is only as strong as its weakest IT assets; a firm's externally facing web assets are arguably the most visible and therefore brand damaging items to be compromised.

Concerned about data breaches? 

Subscribe to data breach notifications ›

Related posts

Learn more about the latest issues in cybersecurity