User data on six million subscribers to the cash-for-surveys site CashCrate has been compromised, according to a report on Motherboard.

Subscribers are paid to take online surveys – from a variety of companies – in order to test products and services.

User data going back 10 years – including email addresses, names, passwords and street addresses – was stolen in the breach. Earlier accounts contained full passwords, while those dating from mid-2010 forward were hashed with the MD5 algorithm, not well regarded in the security community for its weak encryption.

The company is blaming the breach on its third-party forum software, and is notifying customers, it informed Motherboard. Meanwhile, the software has been deactivated.

CashCrate subscribers are being advised to change their passwords. Further, if a subscriber uses the same password on another site, the advice is to change that login credential as well.