Tell HN: Uber sold my email address

53 points by frutiger ↗ HN
Like many here, I have my own domain name and I create custom email addresses for each account. For Uber, I predictably used "uber@<domain>". I have never used that address anywhere else.

Two days ago, I received spam titled "Epiphany RBC" about some survey that will give me a $5 gift card.

How does a Big Tech company like Uber mishandle private data like email addresses? Presumably this action was not coordinated by the C-suite. Did some mid-level/low-level employee with access to the data actually steal and sell the addresses?

32 comments

[ 0.26 ms ] story [ 80.4 ms ] thread
I bet there's some blurb in a 30-page ToS PDF that allows them to share your e-mail address with "our valued partners" or similar BS.
There should be something similar to haveibeenpwned, maybe haveibeensold, where you can report these things and see if others are experiencing the same.

If uber sold the email addresses, or had a leak, many people will be affected, and some of them likely have custom aliases. If nobody else was affected, it might just be a random event, bots try to brute-force aliases on domains all the time.

I do the same, and it's entirely possible Uber has sold your address. But do you realize that people send email shotgun-style? My domains get emails sent to address that have never been used. Anything that is common, popular or even a reasonable guess.
OP should introduce some random data like uber53gh@domain so that he can rule out this possibility
Just curious, are you a 53 years old github user ?
Either that or a 70 years old GitHub user.
This was my first thought. This doesn't prove anything except that somebody emailed you at uber@example.com. That doesn't require Uber selling your address
> How does a Big Tech company like Uber mishandle private data like email addresses? Presumably this action was not coordinated by the C-suite. Did some mid-level/low-level employee with access to the data actually steal and sell the addresses?

This is bizarre. You're giving them way too much credit. They're villains. Of course they're going to sell your data. They'd spit in your mother's face for a nickel.

Always be hustling!
In their performance review they can say they spat in X mother's faces this quarter
That tracks input, not output. Maybe it's a good leading indicator, but how many nickels did this generate? What's the nickels/spit ratio compared to the last few quarters?
If you’re comparing nickels and quarters, the ratio probably doesn’t favor nickels.
While I do agree that a mid/low-level employee is very unlikely to be the cause (why risk a reasonably high salary at Uber and possibly being blackballed from the industry if detected?), I think Hanlon's Razor [1] could be used here to infer that it was more likely a breach of Uber's systems.

[1] https://en.wikipedia.org/wiki/Hanlon%27s_razor

Hanlon's razor tends not to hold true when malice is profitable, and ignorance is a conveniently plausible excuse.
Hanlon's Razor is a social policy for harmonious judgments on individuals. Uber is a company out to make money and there's no need to extend such a courtesy to them.
Googled “Epiphany RBC”

https://epiphany-rbc.com/

I would not be surprised if Epiphany RBC is running a survey on behalf of Uber.

And hence, the data was shared under Uber TOS.

If you email really was just uber@domain then this could just be dumb luck. Spammers try permutations all the time.
The other side isn't dumb, so I never use <service>@, it's always <service>somesuffix@.

Because uber@ (and google@, gmail@ etc) is quite predictable.

Isn't this the company whose CISO went to jail for covering up a hack? I wouldn't assume they sold the email addresses.
I run the email marketing systems for a publicly traded company. This is my area of expertise.

Contrary to popular belief and pervasive reporting, there is little-to-no second hand market for email addresses. Frankly, random email addresses are not particularly valuable. (Targeted lists of individuals, on the other hand, are very valuable and a different story.)

I can almost guarantee you one of two things happened:

- This company is a "legitimate partner" of Uber and has signed a data sharing agreement to handle some amount of market research/etc. Epiphany RBC is based in the Netherlands, so if this email is legitimately from them, they are required to have a chain of custody on your email address as part of GDPR. You can reach out to them directly and see where they got it.

- Your email address was randomly guessed by a spam bot that is looking for particular keywords. The vast majority of spam is sent this way - again, email addresses are not particularly valuable and a random address generator will eventually find it.

https://www.uber.com/legal/en/document/?country=united-state...

> B. How we use personal data

> for marketing and advertising

> D. Data sharing and disclosure

> 5. With Uber subsidiaries and affiliates

> We share data with our subsidiaries and affiliates to help us provide our services or conduct data processing on our behalf.

> 6. With Uber service providers and business partners

> marketing partners and marketing platform providers, including social media advertising services, advertising networks, third-party data providers, and other service providers to reach or better understand our users and measure advertising effectiveness

> research partners, including those performing surveys or research projects in partnership with Uber or on Uber’s behalf

(If you're based in a different country than United States, try changing the country selector. Probably have something identical or similar in it as what I cited above)

So, predictably, they shared your email with a bunch of 3rd parties, just like they said they would. Nothing unexpected here.

------

They try to be sneaky about it (https://www.uber.com/global/en/privacy/overview/) but of course they try...

> Does Uber sell or share my information to third parties for their direct marketing?

> No. Uber does not sell or share your personal data to third parties for their direct marketing, except with your consent.

And once you sign up to the platform, accept the Terms & Conditions + Privacy Policy you have given your consent, so the answer should actually be "Yes."

Off-topic

> I have my own domain name and I create custom email addresses for each account. For Uber, I predictably used "uber@<domain>"

What’s the purpose of this and doesn’t it get expensive (and burdensome) to create new custom email addresses?

Many services like Fastmail allow you to use aliases which all end up in the same inbox, but different addresses at no additional cost.
The main reason to do this: you can easily tell which vendors sold your information.

As for expense, many email providers allow large numbers of free aliases for each account, or alternately one can use a catch-all address and then you don’t even need to pre-allocate the alias.

Mishandle? Their terms of service allow them to sell your data, so they sold your data. This was not only coordinated by the C-Suite, it was most likely initiated there.

Based on this post and its comments, I think weekend HN needs to get a lot more cynical about the tech industry.

Rather than an uber share/leak, they may have guessed it.
(comment deleted)
(comment deleted)