Someone at BrowserStack is Leaking Users' Email Address
73 points by deevus
73 points by deevus
What a tire fire. I was curious what "contributor network" meant and discovered that Apollo allegedly notifies leakees in certain jurisdictions: https://knowledge.apollo.io/hc/en-us/articles/19331318468621-Apollo-Data-Overview#does-apollo-notify-contacts-when-it-adds-them-to-its-database
I appreciate that doesn't help the probably infinite other egress channels for a company that thinks publishing user data is ok, but maybe there's legislative hope yet
A few years ago, I tried to investigate every leak from every spam I received. That appolo stuff came back several times and, yes, they are really dishonnest and pretend to respect/delete but, no. Those are full good old spammers with a corporate tie.
"No spam, we promise!" (No spam from us, anyway.) Lol.
Yeah it's a great idea to do this, I use fastmail for the unique "masked" addresses. Just make sure if it's a service where you'll ever want to represent yourself as a human you don't have a too-robot-sounding address.
How are people quickly generating emails for everything they sign up for (and forwarding on)?
I got a little carried away and implemented signed email addresses. This way I can generate addresses offline with no configuration necessary and any spammers can't just tweak the address to bypass any blocks.
I own a domain name and I setup a catch-all rule with my email provider, so everything is super easy. Anyone can send any email to anyarbitrarytextcangohere@mydomain and it gets redirected to myactualemail@mydomain. No effort required.
Lots of email hosts, including cpanel & directadmin ones, provide this as an easy to enable feature.
That Apple privacy email thing gave me some inspiration. It’s doable to do with self hosted email, just spin up a service that generates email aliases on the fly.
I am, and have been for ages.
I had something like this happen, and had some idiot try to insist that my computer "must've been hacked" (sic), and that it wasn't them.
I made a new email address in the form of, "thisaddresswasonlyevergiventostupidcompany@...", signed up, waited a week or so, then contacted them again. Denied everything.
I got tired of the games, so I wrote to the California Office of the Attorney General and pointed out that this company was compromised or they were knowingly breaking the law, and I included simple layperson explanations. I don't know what happened specifically, but all the email stopped about a month later.
Oops! You asked how, not how many.
I edit virtusertable and add an entry, or just echo >> virtusertable.
I use FastMail with a custom domain, and their Masked Email. They're quick to make in the app, or you can hook it into 1Password which will generate the unique email alongside the password. (the 1Pass integration has been flaky for me, but making them in the web interface is pretty easy so I just do that).
I use SimpleLogin with my own domain. Each time I sign in to a new service, I use the name of service + current year @ mydomain. So it would be something like lobsters26@mydomain.
I also added a rule that if it starts with my wife nick name, it is redirected to her email address. So "nicklobsters26@mydomain" will go to her address and she can use that feature too.
What I learned over the years is that:
I have my own domain with aliases for the services that I register with. Also for conferences or events. The worst (scariest) experience that I had was signing up to a service for testing (at work, using the company email) and within 10m someone from the company was adding me in LinkedIn and I got a call to my personal cellphone from the company as well. Yep that was wild, one of the reasons we decided not to go with the product.
We later confirmed that their CRM had access to a bunch of different datasets that "aggregated" the data for them.