42 comments

[ 2.3 ms ] story [ 70.3 ms ] thread
Or the company data has been compromised. That’s a really common way for emails to ‘leak’.
> BrowserStack routinely sell or give away their users' data.

> A third-party service used by BrowserStack siphons off information to send to others.

> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.

Or the simpler answer, their db/email list has been compromised.

BrightData is another company offering hosted browsers who has also recently leaked private data, although they did email customers to warn them.

I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?

I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.

I think most likely an attacker who has the customer data is using Claude to analyse it.

Is the _very big_ company Amazon, I wonder.
This is beyond outrageous. And the data leak angle they’re pushing doesn’t make sense either.
Everyone in this thread suggesting a “data leak” or “compromise” is totally missing the fact that this is how Apollo works. This is often times overlooked by Apollo customers themselves. You have to opt out of customer data sharing (and in doing so lose out on the value of the product): https://knowledge.apollo.io/hc/en-us/articles/20727684184589...

Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.

And the sad thing is, I can guarantee this thread alone will be great marketing for Apollo and they will gain a pile of new enquiries Monday morning.
Another way these companies get data is they have credits. It costs a credit for a salesperson to enrich the data of someone they're trying to contact. There are 2 ways to gain credits: 1 - cash; 2 - the salesperson installs a plugin in their inbox and it scrapes all contact info in the inbox.

ZoomInfo is the most aggressive about this.

re apollo: inbox scraping is what they're describing here [1]

> Apollo does leverage its large network of over 2 million contributors to improve the scope and accuracy of its database of business contact information and run verification checks that result in a better user experience for its entire customer base. Most of the data we collect from our Apollo users simply forms part of our verification system to check and confirm existing information in the Apollo database.

[1] https://knowledge.apollo.io/hc/en-us/articles/20727684184589...

>After a brief discussion, the emailer told me they got my details from Apollo.io

The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.

Working in sales but not being able to handle customer data responsibly (for whatever reason). Not a good look.
> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.

Of course. I use Firefox Relay to generate a unique email address for every site where I have to use an email. That method hasn't failed me so far.
Email needs a consent revocation system effectively like how Blackberry had PINs for BBM
Thanks to iCloud I haven't used my actual email addresses anywhere in a decade (even without Hide My Email their aliases were very handy)
Just wait till OP learns about Accurint!
Thanks to iCloud I haven't used my actual email addresses anywhere in a decade (even without Hide My Email their aliases were very handy)

Caught quite a few leakers that way, by using specific addresses for specific sites or categories of sites

(Last time I tried, Gmail's aliases were useless; they included your real address in the alias!)

Guys at seamless io do the same thing. I found a very personal email address on the system. I figured someone at work was leaking their address book to seamless.

I don’t know how to stop it

Selected quotes from Apollo's GDPR page:

> Consent must be "freely given, specific, informed, and unambiguous."

and

> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.

https://knowledge.apollo.io/hc/en-us/articles/4409141087757-...

Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.

In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!

So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).

Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.

Meta comment on the blog itself: Those theme options are really neat. Such a great touch for a personal blog!
Cheers mate, I appreciate it.
Thank you for naming and shaming the company.
Having your own domain and giving a unique email address to everyone... Is it correct to call this canary trapping email addresses?

https://en.wikipedia.org/wiki/Canary_trap

Sounds about right. Yes, I've been doing it for decades now and besides telling you who's selling email lists, it makes filtering much easier. Filtering by To: is pretty low effort compared to Bayesian spam filters etc. They get tossed in a Sieve filter as soon as they become a problem, and I'll send a bitch letter to the leaker with another random email address to see how dedicated they are to screwing me.
How is this possible for any normal person with a work provided 365 account?
I had the same thing happen with Compare The Market in the UK. I used two unique email addresses with them on two different domains and the same day both started receiving spam. I reported it to them and they don't care, because how do you prove it?
We need anonymous phone numbers
(comment deleted)