Tell HN: Uber sold my email address
Like many here, I have my own domain name and I create custom email addresses for each account. For Uber, I predictably used "uber@<domain>". I have never used that address anywhere else.
Two days ago, I received spam titled "Epiphany RBC" about some survey that will give me a $5 gift card.
How does a Big Tech company like Uber mishandle private data like email addresses? Presumably this action was not coordinated by the C-suite. Did some mid-level/low-level employee with access to the data actually steal and sell the addresses?
32 comments
[ 0.26 ms ] story [ 80.4 ms ] threadIf uber sold the email addresses, or had a leak, many people will be affected, and some of them likely have custom aliases. If nobody else was affected, it might just be a random event, bots try to brute-force aliases on domains all the time.
This is bizarre. You're giving them way too much credit. They're villains. Of course they're going to sell your data. They'd spit in your mother's face for a nickel.
[1] https://en.wikipedia.org/wiki/Hanlon%27s_razor
https://epiphany-rbc.com/
I would not be surprised if Epiphany RBC is running a survey on behalf of Uber.
And hence, the data was shared under Uber TOS.
Because uber@ (and google@, gmail@ etc) is quite predictable.
https://firewalltimes.com/uber-data-breach-timeline/
Contrary to popular belief and pervasive reporting, there is little-to-no second hand market for email addresses. Frankly, random email addresses are not particularly valuable. (Targeted lists of individuals, on the other hand, are very valuable and a different story.)
I can almost guarantee you one of two things happened:
- This company is a "legitimate partner" of Uber and has signed a data sharing agreement to handle some amount of market research/etc. Epiphany RBC is based in the Netherlands, so if this email is legitimately from them, they are required to have a chain of custody on your email address as part of GDPR. You can reach out to them directly and see where they got it.
- Your email address was randomly guessed by a spam bot that is looking for particular keywords. The vast majority of spam is sent this way - again, email addresses are not particularly valuable and a random address generator will eventually find it.
> B. How we use personal data
> for marketing and advertising
> D. Data sharing and disclosure
> 5. With Uber subsidiaries and affiliates
> We share data with our subsidiaries and affiliates to help us provide our services or conduct data processing on our behalf.
> 6. With Uber service providers and business partners
> marketing partners and marketing platform providers, including social media advertising services, advertising networks, third-party data providers, and other service providers to reach or better understand our users and measure advertising effectiveness
> research partners, including those performing surveys or research projects in partnership with Uber or on Uber’s behalf
(If you're based in a different country than United States, try changing the country selector. Probably have something identical or similar in it as what I cited above)
So, predictably, they shared your email with a bunch of 3rd parties, just like they said they would. Nothing unexpected here.
------
They try to be sneaky about it (https://www.uber.com/global/en/privacy/overview/) but of course they try...
> Does Uber sell or share my information to third parties for their direct marketing?
> No. Uber does not sell or share your personal data to third parties for their direct marketing, except with your consent.
And once you sign up to the platform, accept the Terms & Conditions + Privacy Policy you have given your consent, so the answer should actually be "Yes."
> I have my own domain name and I create custom email addresses for each account. For Uber, I predictably used "uber@<domain>"
What’s the purpose of this and doesn’t it get expensive (and burdensome) to create new custom email addresses?
As for expense, many email providers allow large numbers of free aliases for each account, or alternately one can use a catch-all address and then you don’t even need to pre-allocate the alias.
Based on this post and its comments, I think weekend HN needs to get a lot more cynical about the tech industry.