Discussion
Someone at BrowserStack is Leaking Users' Email Address
Macha: Is the _very big_ company Amazon, I wonder.
jstanley: BrightData is another company offering hosted browsers who has also recently leaked private data, although they did email customers to warn them.I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome.I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.I think most likely an attacker who has the customer data is using Claude to analyse it.
wood_spirit: Or the company data has been compromised. That’s a really common way for emails to ‘leak’.
jmount: And BrowserStack either doesn't know this or knows this and isn't telling. Still bad, in my opinion.
jofzar: > BrowserStack routinely sell or give away their users' data.> A third-party service used by BrowserStack siphons off information to send to others.> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.Or the simpler answer, their db/email list has been compromised.
gruez: >After a brief discussion, the emailer told me they got my details from Apollo.ioThe landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
streblo: Everyone in this thread suggesting a “data leak” or “compromise” is totally missing the fact that this is how Apollo works. This is often times overlooked by Apollo customers themselves. You have to opt out of customer data sharing (and in doing so lose out on the value of the product): https://knowledge.apollo.io/hc/en-us/articles/20727684184589...Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
nurettin: Brightdata? Isn't that the israeli firm formerly called luminati that sells you shady "high quality residential IPs" that you can rotate to scrape the web?
jen20: The simplest answer is they are voluntarily being scum and selling user data to make a quick buck. It’s almost universally true.
brookst: Accuracy matters. Pizzas and tires are both round, but you do different things with them.
Razengan: Thanks to iCloud I haven't used my actual email addresses anywhere in a decade (even without Hide My Email their aliases were very handy)
michaelcampbell: > > BrowserStack routinely sell or give away their users' data.> Or the simpler answer, their db/email list has been compromised.I find the first option far simpler.
michaelcampbell: > not realizing the privacy implications.If only.
petcat: > Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
Jaxan: I just do <website>@<myhost.tld>. It is sometimes confusing by when interacting with customer support ;-)
OptionOfT: Yes ma'am, my email address really is bofa.com@<optionoft's-lastname>.comNo I'm not trying to hack you.Which in hindsight is also what a hacker would say. I can't win...
Robdel12: Shameless plug here, I worked for Percy and was acquired into bs (worked there for two years). I don’t have browsers, but if you want visual testing: https://vizzly.dev/For OSS I don’t even want to talk to you. Sign up and connect. :p https://vizzly.dev/open-source/
nick-sta: I personally do x@mydomain.com. It makes it very obvious when you start getting spam (I’m looking at you dji).
gruez: > So unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.Even if it's a "new" alias, I often see people[1] using simple schemes to derive the address, eg. facebook@mydomain.example. With cheap LLMs it's not hard to automatically guess what the underlying pattern is.edit:[1] ie. in this very thread
villgax: Email needs a consent revocation system effectively like how Blackberry had PINs for BBM
jstanley: Yes. Their hosted browser service is one of the best ones out there.
gruez: >and selling user data to make a quick buckAre there actually companies that will pay you $$$ for a list of emails?
overlordalex: The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like service@custom.com, and that way when service@ starts receiving spam you know exactly where it comes from
fragmede: yes, but service is too guessable, so append a randomly generated nonce as well, eg service_rjfh34@example.com. It doesn't need to be cryptographically random, just non trivially guessable to prove the service is leaking email addresses.
tvbusy: I use DuckDuckGo Email and it generates unique addresses that I can both receive emails (obviously) and reply to from that email. There's also an option to shutdown that address and never receive spam again.
noAnswer: If they would have "de-aliased" his address than he wouldn't have known who leaded it.I use site-randomnumber@mydomain. The number is important. If the address leaked and I still want to use the service going forward I just change the number. (Yes I know: That obviously only helps against leaks and not against sharing agreements.)
reddalo: Hey.com works that way. You have to approve new senders before they can reach your inbox. And you can always revoke their permission to message you.I'd like to see that concept replicated to other email services. I don't particularly like all the other opinionated choices of Hey.com (especially the fact that you can't use IMAP).
gruez: Linkedin got users to unwittingly to share their entire contact list by signing into gmail. What makes you think something similar wouldn't happen to some non-technical person on the sales team?
michaelcampbell: My point is I don't think one bit of this is accidental.
noAnswer: There are some big brain companies who will block you if their name appears in the email address. Like Discord. You can create an account, with discrod@example.com. But a seconde later you will get an email that your account got band.They know their way around IT security! /s
gruez: And my point is that it's pretty easy for people to accidentally do it, and this is corroborated by the available evidence, so we should apply hanlon's razor rather than assuming someone at browserstack was laughing maniacally while uploading the email list.
michaelcampbell: I made no such assertion. Only that businesses do things in the business's interest more frequently than databreaches.
JimDabell: > It’s almost universally true.It’s not. I give a unique email address to every service I register with, which means I can see who is leaking my email address. Very few of them leak my email address at all, and those that do tend to do so involuntarily through data breaches.The other main factors in spam are the sleazeballs at Apollo, ZoomInfo, et al., services that use my email address internally for more than I consented (if I use my email address to register for a service, this does not permit that service to add me to their product mailing list), and the spammers who guess email addresses based on LinkedIn info (e.g. name + company domain).The number of services who appear to take an email address I have given them and sell it appear to be extremely rare.
phyzome: I often get asked whether I'm a fellow employee.
gruez: > Only that businesses do things in the business's interestThat's not mutually exclusive with "someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications".>more frequently than databreaches.You're fighting against both hanlon's razor and occam's razor here. The OP states the leak came from Apollo, and as other commenters have noted, Apollo specifically has a "Contributor Network" that shares email lists with other companies, and isn't well documented. It's not hard to imagine how this was done unintentionally. On the other hand there's no evidence to suggest this was done intentionally, other generic cynicism of "businesses do things in the business's interest" or whatever.
mjlee: I use Fastmail with my own domain and 1Password. Together they give me a “masked email” button for forms that generates a random enough email address (two common words and four digits) and records the domain it was for. You can also create them ad-hoc from Fastmail’s interface.As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?
garciansmith: Yeah, Fastmail's aliases are great. I used to do things described by some other commenters, like myemail+nameofservice@ and whatnot, but this way the email is automatically generated and you don't have to put any thought into it.
jnettome: On top of it my email address is .me so is very common to when I finish spelling my e-mail, people waiting for .com
freedomben: Meta comment on the blog itself: Those theme options are really neat. Such a great touch for a personal blog!
fontain: For a little more color for people unfamiliar with modern sales/marketing:1. A user signs up to BrowserStack2. BrowserStack (automatically) upload the submitted user’s information to Apollo3. Apollo “enrich” the user’s details using information they already have about the person, e.g: company revenue, LinkedIn profile4. Sales reps at BrowserStack use the enriched information to identify leads, bucket for marketing etc.Apollo’s customer data sharing adds any information BrowserStack send to Apollo to the person’s profile with Apollo, accessible to all Apollo customers.For example, any other Apollo customer can search something like “email addresses for decision makers at Example, Inc.” and get back a list including your email address (if you told BrowserStack you are a decision maker at Example, Inc.)Every single marketing team is doing all of this, the only reason it was obvious in this case is that the OP used a unique email address for BrowserStack. If you sign up for any business product online, you surely have a profile in Apollo filled with details about you gathered from around the web (and details you submitted).edit: https://www.apollo.io/privacy-policy/remove opt out link but Apollo are just one of many companies offering this service
tgsovlerkhgsel: Hopefully in the soon future:5. BrowserStack gets hit by a massive GDPR fine.
anonymousiam: What you say is often true, but in the case of Discord, at least in my case, you are wrong. My Discord email address is discord@xxx.com, and I am still receiving emails from them.
dizhn: Last year the company my friend works at wanted to have a salary study to see if they were below market in any department. The company they found sent them a questionnaire with tons of questions including the salaries and positions of everyone. What a good business selling people's own shit back to them.
theandrewbailey: Having your own domain and giving a unique email address to everyone... Is it correct to call this canary trapping email addresses?https://en.wikipedia.org/wiki/Canary_trap
ikidd: Sounds about right. Yes, I've been doing it for decades now and besides telling you who's selling email lists, it makes filtering much easier. Filtering by To: is pretty low effort compared to Bayesian spam filters etc. They get tossed in a Sieve filter as soon as they become a problem, and I'll send a bitch letter to the leaker with another random email address to see how dedicated they are to screwing me.
zelphirkalt: Working in sales but not being able to handle customer data responsibly (for whatever reason). Not a good look.
edent: Cheers mate, I appreciate it.
QuantumNomad_: iCloud has a great feature that allows you to generate unique aliases on the fly quickly and easily. For example when signing up for new services via the web browser on iOS, you can generate a new address with the click of a button.Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.
sdevonoes: The downside of such iCloud aliases is that you cannot send emails from there (you can only reply to emails, and ofc receive emails)
simonjgreen: And the sad thing is, I can guarantee this thread alone will be great marketing for Apollo and they will gain a pile of new enquiries Monday morning.
ValentineC: ^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.
fmajid: I am more specific: if I start receiving pornographic spam like I did to the address I gave Dell, I will know they have been hacked.I will also not hold my breath waiting for the legally required breach notification they are supposed to send.
