- Everyone in this thread suggesting a “data leak” or “compromise” is totally missing the fact that this is how Apollo works. This is often times overlooked by Apollo customers themselves. You have to opt out of customer data sharing (and in doing so lose out on the value of the product): https://knowledge.apollo.io/hc/en-us/articles/20727684184589...
Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
- >After a brief discussion, the emailer told me they got my details from Apollo.io
The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
- > Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.
I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
- > BrowserStack routinely sell or give away their users' data.
> A third-party service used by BrowserStack siphons off information to send to others.
> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.
Or the simpler answer, their db/email list has been compromised.
- I remember the first and only time I used browser stack, almost 10 years ago. I found myself logged into the Google account of somebody else. I could freely access their email, drive files, everything.
I had reported this to them, and they quickly dismissed it as impossible. The dismissal itself was enough proof for me of horrific practices.
by Anton_Greg
0 subcomment
- The canary email trick is clever and the OP's frustration is valid. But the most likely explanation is their data passed through a CRM into an enrichment platform like Apollo, which then made it available to other customers. That's not a breach, i think it's just how these tools are designed to work. Which might be worse because it's happening at scale across thousands of companies.
The response could've been better though. When a customer raises something like this you trace the data flow and explain what happened.
But the real conversation should be about the enrichment industry itself. Opt-out instead of opt-in became the default and nobody questioned it. That's where regulation needs to catch up, hence singling out individual companies won't fix anything structural
by theandrewbailey
2 subcomments
- Having your own domain and giving a unique email address to everyone... Is it correct to call this canary trapping email addresses?
https://en.wikipedia.org/wiki/Canary_trap
- Thank you for naming and shaming the company.
by andrewaylett
0 subcomment
- Selected quotes from Apollo's GDPR page:
> Consent must be "freely given, specific, informed, and unambiguous."
and
> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
https://knowledge.apollo.io/hc/en-us/articles/4409141087757-...
Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.
In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!
So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).
Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.
- BrightData is another company offering hosted browsers who has also recently leaked private data, although they did email customers to warn them.
I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?
I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.
I think most likely an attacker who has the customer data is using Claude to analyse it.
- Thanks to iCloud I haven't used my actual email addresses anywhere in a decade (even without Hide My Email their aliases were very handy)
Caught quite a few leakers that way, by using specific addresses for specific sites or categories of sites
(Last time I tried, Gmail's aliases were useless; they included your real address in the alias!)
by justinclift
0 subcomment
- Many years ago a substantially sized OSS groups' forum software (maybe KDE or Qt? it was a long time ago) was accidentally including user email addresses in the non-user-visible html tags of forum pages.
Web scanners though aren't people, and easily noticed them, thus building up a database of email addresses to spam people.
It was discovered when a friend mentioned that one of their uniquely generated email addresses was being used by spammers. Similar to this post.
So, we got in contact with the forum people to let them know, and they tracked down + fixed the problem.
Perhaps a similar thing is happening to the article author, rather than purposely malicious behaviour?
- I had the same thing happen with Compare The Market in the UK. I used two unique email addresses with them on two different domains and the same day both started receiving spam. I reported it to them and they don't care, because how do you prove it?
- Is the _very big_ company Amazon, I wonder.
- This is beyond outrageous. And the data leak angle they’re pushing doesn’t make sense either.
- Guys at seamless io do the same thing. I found a very personal email address on the system. I figured someone at work was leaking their address book to seamless.
I don’t know how to stop it
- Thanks to iCloud I haven't used my actual email addresses anywhere in a decade (even without Hide My Email their aliases were very handy)
by freedomben
1 subcomments
- Meta comment on the blog itself: Those theme options are really neat. Such a great touch for a personal blog!
by wood_spirit
1 subcomments
- Or the company data has been compromised. That’s a really common way for emails to ‘leak’.
- We need anonymous phone numbers
- Email needs a consent revocation system effectively like how Blackberry had PINs for BBM
by Flowergirl28
0 subcomment
- Few things to note here are that what actually reached the OP was a cold sales email, not someone who had their password or payment info. The data that moved was business contact info going through a sales pipeline. Annoying? Absolutely. But the comments in here talking about GDPR fines and comparing this to actual data breaches feel like a massive escalation from what actually happened. I've seen real breaches in this industry. This isn't one. This is probably some SDR from sales team or the prospecting tool which is Apollo being sloppy in this case with their processes and not thinking through what happens to the data they're working with.
by James_specter
0 subcomment
- [dead]
- [dead]
- [flagged]
- [flagged]
by devcraft_ai
0 subcomment
- [dead]
by jeremie_strand
0 subcomment
- [dead]
- [flagged]
by sammy2255
2 subcomments
- [flagged]
- Just wait till OP learns about Accurint!
Hacker News