Glassdoor Exposes 600,000 Email Addresses

A web site where users anonymously review their employer has exposed the e-mail addresses -- and in some cases the names -- of hundreds of thousands of users. An anonymous reader quotes an article from Silicon Beat: On Friday, the company sent out an email announcing that it had changed its terms of service. Instead of blindly copying email recipients on the message, the company pasted their addresses in the clear. Each message recipient was able to see the email addresses of 999 other Glassdoor users...

Ultimately, the messages exposed the addresses of more than 2 percent of the company's users... Last month, the company said it had some 30 million monthly active users, meaning that more than 600,000 were affected by the exposure... Although the company didn't directly disclose the names of its users, many of their names could be intuited from their email addresses. Some appeared to be in the format of "first name.last name" or "first initial plus last name."
A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously and we know this is not what is expected of us. It certainly isn't how we intend to operate."

No one should be surprised

They have a glass door policy there.

Re: No one should be surprised

The wonderful thing about posting anonymously is that, from a purely objective perspective, ideas have to stand on their own merits. Nothing can be subjective. This is why winning an argument on the internet is like pissing in an ocean of piss, as we've seen in the above 5 posts.

When you try to get into empirical proof, especially anything having to do with history, then you need reputation because nobody ever invests in science for the good of mankind and because people will choose what they want to believe and fight to the grave over it. The ownership\investor class is particularly hard-fought over this.

The Server admins screwed the pooch by not reducing the total number of maximum emails recipients to maybe 20 or 30 and someone in Marketing just made an epic fail thinking their l33t outlook skills would work in some kind of guerrilla marketing campaign. So very stupid.

BTW, just for the record here. Whenever you end up in a situation where men can't make a consistent living, you are going to get them whoring around because they have no incentive to take care off their offspring; a scatter-gun approach is the best method in an unstructured chaotic society with no assurances. Classic example: Every war that we've ever had. American Africans have been disproportionately affected by wage arbitrage and if you had two brain cells to rub together you'd listen to what they have to say and how the game has been played against them because that same game is getting played against educated and uneducated whites right now; we are just too stupid to see through all the fancy terms these lawyers, bankers, and investors make up. Whites are about a generation behind where the blacks are today and the Latino's are about in the same boat. Go look up marriage rates sometime, or the percentage of men refusing to have kids. There are some shocking statistics there.

Re:No one should be surprised

Are you saying this lass is attired such that her teats are visible through the fabric of their clothing? And she may be of loose moral character? Might be worth going in for an interview even with no intent of working there.

companies always say the same thing

We take the privacy of our users very seriously

Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".

Uhmm... no, clearly you do not. If you did, then you would not have exposed their email addresses in this manner. This is the opposite of "taking privacy seriously".

Stop saying this, companies. It does not make it better. What makes it better is to demonstrate through actions and policies that you actually do take privacy seriously. There are ways to do this. Not perfect ways, but very good ways. Follow them. Then, and only then can you say this and then look yourself in the mirror with a clear conscience.

Such a mistake was presumably not intentional, but with actual good security practices, this would not have been possible without considerable effort to circumvent the security practices in place. Put them in place. THEN come tell us you "take privacy seriously". We don't care about the words. We care about the actions.

Re:companies always say the same thing

[arth1]

Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".

At this point, it's not even spin anymore, but etiquette. Much like after tragedies, politicians say that their thoughts are with the families. Or you saying "I'm fine, how are you" or "call me and let's have coffee". Everybody knows it's a lie, but you're supposed to go through with it anyhow, as etiquette greases the wheels and helps prevent escalations.

Re:companies always say the same thing

[qeveren]

If they took it seriously, they'd buy some competence.

Re: companies always say the same thing

Competence is a thing most only discover they don't have until after they needed it.

Re: companies always say the same thing

[theshowmecanuck]

This is a horribly true thing.

Re:companies always say the same thing

[Hognoxious]

When they say "We take X seriously" they mean "We care about appearing to take X seriously".

Re:companies always say the same thing

[Lost+Race]

It's not even too late to mitigate the breach, or at least it wasn't when they were busy composing that mealy-mouthed non-apology. They could have taken the entire site offline, deleted all user accounts, and sanitized all user account info from the comment database. Then go back online and require all users to start over with new accounts. But they clearly don't take user privacy that seriously.

That's what you get.

[bjwest]

You shouldn't try to talk shit about anyone behind their back. Anonymous rating/review sites are ripe for abuse and slander, and the info should be taken with a grain of salt, if not ignored altogether.

Re:That's what you get.

[ragahast]

How dare these peons communicate about their earnings and working conditions?! Don't they know a desperate reserve labor force is critical to our economy?

Re:That's what you get.

You shouldn't try to talk shit about anyone behind their back. Anonymous rating/review sites are ripe for abuse and slander, and the info should be taken with a grain of salt, if not ignored altogether.

Yes. But there may be something to it too.

I would never publicly expose an employer for anything - even if I had proof - because I would become unemployable. And suing and getting compensation under whistle blower laws? Well, it better be enough to allow me to live well for the rest of my life AND cover any other legal expenses I may incur if my ex-employer decides to come after me for something.

Here's what happens to many and I'm trying to find the Economist article they did years that told of one person who spent years unemployed while suing/being sued by their former employer for whistle blowing only to win and get just one year's salary - with no compensation for legal expenses.

It's best to keep your mouth shut, quit and find another job - unless you're being told to do something illegal yourself.

It just doesn't pay.

Re: That's what you get.

I think the point was 'living in the US'.
Here in the "free" world, exposing your employee for whatever might get you fired. But sued? The idea is ridiculous.
And if what expose is actually illegal, how could you get fired for it?
And even if you did get fired it wouldn't imply 'not eating' or 'being homeless'.
Its a culture difference, I guess.

Re:That's what you get.

[Antique+Geekmeister]

> Anonymous rating/review sites are ripe for abuse and slander

They're also priceless for due diligence by new employees, or for safely publishing thoughts about toxic workplaces. I used to regularly review the old "www.fuckedcompany.com" website for the real inner doings of clients, especially pending layoffs that might affect contracts with them.

Monster lawsuit on the horizon....

[BlytheBowman]

....the execs of Glassdoor see this and hop onto the escape jet to an undisclosed tropical island

Bad but not so bad

[ark1]

Emails addresses were exposed, that is bad news for sure. However it does not look like you can actually accurately tie the email address with reviews.

Re:Bad but not so bad

[Calydor]

Boss of Company has suspected Employee of writing a really bad review but has no evidence.

Employee is suddenly confirmed as a member of GlassDoor.com.

Employee is fired.

Re:Bad but not so bad

[ark1]

If an employer is suspecting an employee of writing a bad review, that employee would likely be gone long before the leak. This said there is for sure a chance, albeit in odd cases.

Re:Bad but not so bad

[Kneo24]

I was one of the people affected by this. You can only see about a thousand emails or so in the sent list. Your chances of this scenario happening are 1 in 600.

The person or persons responsible...

For this egregious error will have no lasting consequences applied to them.

Don't get me wrong. The low cost Indian PR firm or intern that was hired to deal with this issue will be fired. but the CEO who brought down the cost cutting measures that ment they had to hire the cut rate Indian firm/interns will simply get a rise.

Noting to see here please move along.

To their credit they are called the glass door

[140Mandak262Jamuna]

If they wanted to suggest some kind of privacy to the their users they would have called their site opaque door or at least frosted glass door.

Re:Wtf?

[fustakrakich]

That just might be the case. Most of the names might be burner accounts. Or do I have too much faith in people?

Just because you have access

[fred911]

This happens all the time. It's generally done by some dead-end user that CC's instead of BCC's a group of people he knows the latest greatest cat video, or even better, a forward this email and receive $$ (or save the children) email. Even more funny is when this is caused by malware installed by some executable executed by said user that is repetitively spewing out garbage email to everyone on the address list or even worse is used on a botnet.

  The only reason this is brought to light is the said dead-end users calls you about why his computer is so slow he can't watch cat videos because he's got so many pop-ups.

  Just goes to show, just because you can, doesn't mean you should.

Re:Just because you have access

[Obfuscant]

It's generally done by some dead-end user that CC's instead of BCC's

You should be aware that BCC is not a guarantee that others will not see addresses. RFC5322 says: " The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message." This SOUNDS like it should be safe to use for sending messages to a lot of people without anyone knowing who else got it, but it isn't. RFC5322 talks about three common ways that mail systems deal with BCC, and says:

In the second case, recipients specified in the "To:" and "Cc:" lines each are sent a copy of the message with the "Bcc:" line removed as above, but the recipients on the "Bcc:" line get a separate copy of the message containing a "Bcc:" line. (When there are multiple recipient addresses in the "Bcc:" field, some implementations actually send a separate copy of the message to each recipient with a "Bcc:" containing only the address of that particular recipient.)

The last sentence implies that some mail systems contain the full BCC line in copies sent to those BCC addresses. (Only "some" create individual BCC lines.) It does not use the mandates of "MUST" or "MUST NOT", so conforming implementations can actually show you, as a BCC recipient, the entire list of other BCC recipients. And I've seen that behaviour.

This is one of those areas where people assume the standards say one thing but actually don't. Like idiot web page designers who think they know the list of acceptable characters in an email address and yet they prohibit "+".

Re:Just because you have access

[arth1]

This is one of those areas where people assume the standards say one thing but actually don't. Like idiot web page designers who think they know the list of acceptable characters in an email address and yet they prohibit "+".

In those cases, I have always wondered why the devs try to do this in the first place. In almost all cases, you can ask the e-mail server whether it's a valid address. And even if the mail server isn't 100% standard, it will tell you whether it can parse the address, which is almost always what you want to know anyhow.
If the e-mail server accepts [10.20.30.40]!hub!node1!user as an e-mail address, why should the web app care? It's not doing the routing or delivery and has no business telling anyone what's valid e-mail or not.

Re:Just because you have access

[Obfuscant]

In those cases, I have always wondered why the devs try to do this in the first place. In almost all cases, you can ask the e-mail server whether it's a valid address.

The web page designers are pushing the test onto the client so 1) there is immediate response as the user types it in and he can fix it if it truly is a mistake before moving on, and 2) it puts the computation onto the client and doesn't waste a PUT and their server's time with what may be invalid data.

I've looked at the javascript source for this on several pages. It's all the same. And I've given the correct code to at least one site, telling them "add the following lines". It's a virus coming from somewhere that they are copying and assuming it must be right and their customer (who has done this kind of thing for more than two decades) must be wrong.

It can't be pushed onto a mail server, because the javascript has no standard way of asking one. There is no way to even guarantee that the client system is running a mail server to ask.

It's not doing the routing or delivery and has no business telling anyone what's valid e-mail or not.

I have had lengthy email exchanges with the support people at such websites, and it is always fun for them to tell me that "+" is not a valid character in an email address when they are happily conversing with someone who has a "+" in his email address. Obviously it is valid; obviously they are idiots.

Re:Just because you have access

[arth1]

The web page designers are pushing the test onto the client so 1) there is immediate response as the user types it in and he can fix it if it truly is a mistake before moving on, and 2) it puts the computation onto the client and doesn't waste a PUT and their server's time with what may be invalid data.

That's all kinds of dumb, given that the client can modify the javascript and tell it that an address is validated. So it must be verified at the server end too, anyhow.

I have had lengthy email exchanges with the support people at such websites, and it is always fun for them to tell me that "+" is not a valid character in an email address when they are happily conversing with someone who has a "+" in his email address. Obviously it is valid; obviously they are idiots.

Try using an e-mail address with @ in the local part...
Or having an e-mail address on a TLD, like hostmaster@museum.

It's not for the sender to decide what's valid. It should decide whether it's routeable, and leave it up to recipient to decide whether it's valid.
And it's certainly not up to a web page that isn't even the sender.

I'm also irritated with those who either capitalize or lowercase the local part. It's fine to do that with the remote part, but it's really up to the recipient server whether foo@bar, Foo@bar, FOO@bar and so on are different recipients.
(And while at it, don't mangle names either. MacKie is not the same name as Mackie.)

Re:Just because you have access

[Obfuscant]

So it must be verified at the server end too, anyhow.

Most people are not going to know how to modify the javascript, and it isn't trivial anyway. The code isn't verifying the address, it is validating the syntax. You can't verify an address without actually trying to send to it.

It's not for the sender to decide what's valid.

If you can properly manage RFC5322, there is no reason not to flag invalid syntax as soon as possible. The failure is people who ignore the standards, or are working in a job where knowledge of the standards is critical and they just don't care.

Re:In other news... GlassDoor.com changes its name

[Calydor]

It's called Navel Gazing, not Navy Gazing.

Bankrupcy

[whoever57]

Glassdoor deserves to go bankrupt and shut down over this. They have spectacularly failed in the one thing they should have done: keeping the identity of their posters secret.

Re:Bankrupcy

[zifn4b]

Glassdoor deserves to go bankrupt and shut down over this.

Nope. Always use a burner email address! Glassdoor is pretty much the only service that exposes toxic employer practices. These employers go to great lengths to hide and misrepresent employment engagements in the name of apathetic profits. It's the only way Americans have to keep employers held to some standard of employment environments in the white collar world especially.

Re:Wtf?

[arth1]

That just might be the case. Most of the names might be burner accounts. Or do I have too much faith in people?

You do.
A large amount of people are both lazy and ignorant. Which is probably why they posted at glassdoor in the first place, after being passed for promotions or bonuses, or being replaced by a very small shell script.

Chances are that a great many of these people not only used their real name in their e-mail, but posted from company computers, with the access and data logged. And the only reason they haven't been fired already is that IT doesn't have capacity to wade through all the crap that management told them to log.

Heck, anyone thinking that a site like glassdoor is going to make any positive difference is delusional. At best, it serves as a place to vent.

Burned yet again

[Tablizer]

Democrats have the worse luck with email. Time to switch to smoke signals perhaps?

Uh huh

[Ol+Olsoc]

A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously

No you don't you stupid assholes. Because you just showed how frivolously you take their privacy by telling the world who they are, in as mindlessly careless a way as can be imagined.

May all of your employees find new jobs, and may you go out of business in as humiliating a way as possible.

Re:Uh huh

[anybody_out_there]

May all of your employees find new jobs, [...]

<pendant>

Well, except for the ones that are responsible for this, be they technical, legal or managerial.

</pendant>

:-)

Re:Wtf?

[arth1]

"Number," not "amount." "People" is a countable noun.

Is there a term for people trying to be pedants, but not being pedantic enough?

in short, you're wrong. While "people" is sometimes used as a substitute for "persons", that does not transform it into a countable. In its singular form, it is still a group noun, like "money" or "slime".

There is indeed an error in the sentence you criticized, but it's with using "are" instead of "is", and not using "amount" instead of "number".

every time

[Swampash]

I have witnessed this sort of thing happen either at an employer or at a client business, it occurred shortly after the hiring of a bubbly new young marketing coordinator.

Re:every time

[Antique+Geekmeister]

Older sales directors do it too. I'd consider writing about it, but it wasn't _my_ company's sales director.

Glad to see this covered here

[Vegan+Cyclist]

I was one of the people 'exposed', it was sent directly 'To:' myself and a large number (guessing 998) other addresses. Immediately realized this could expose people..gah..

Re:Wtf?

[Hognoxious]

a group noun, like "money" or "slime".

Nope. Those are mass nouns. Perhaps you meant collective nouns? Not that either. A collective noun is like a platoon (made of soldiers) or a flock (made of sheep).

Maybe this is why "27 people" makes sense, but "31 money" or "4 slime" don't.

Obviously

[nospam007]

Glass doors in my house have been exposing my bare ass for years.

Re:Wtf?

[Kneo24]

I've only ever used Glassdoor for companies after I left. At that point I don't give a fuck what my previous employer thinks if I left on bad terms. Most of the names are not burner accounts either, at least from what I can see. I was one of the 600,000 affected by this.

I always forget some mundane detail!

[zifn4b]

...like the decimal point or in this case, the infamous second letter of the alphabet: B

something wrong with this picture

[ihtoit]

let me break it down like this: an anonymous website where you have to give a valid email address tied to you the person is NOT anonymous.

Re:Wtf?

[fustakrakich]

I still don't understand. By now you should that these "breaches" are an everyday thing. Why would you ever give your real name and/or card?

Collective or individual

[XXongo]

There is indeed an error in the sentence you criticized, but it's with using "are" instead of "is", and not using "amount" instead of "number".

Interesting, but you're only half right.

"A large number of people are both lazy and ignorant" is grammatically correct.

"A large amount of people is both lazy and ignorant" is also arguably correct.

But it says a different thing. The first sentence says that there are many people who are, individually, both lazy and ignorant. The phrase "lazy and ignorant" applies to the individuals in the group. The second sentence says that the subject of the sentence, "a large amount of people" considered as a single object, is both lazy and ignorant. The singular verb means that the phrase "lazy and ignorant" applies to the group as whole