Glassdoor Exposes 600,000 Email Addresses

A web site where users anonymously review their employer has exposed the e-mail addresses -- and in some cases the names -- of hundreds of thousands of users. An anonymous reader quotes an article from Silicon Beat: On Friday, the company sent out an email announcing that it had changed its terms of service. Instead of blindly copying email recipients on the message, the company pasted their addresses in the clear. Each message recipient was able to see the email addresses of 999 other Glassdoor users...

Ultimately, the messages exposed the addresses of more than 2 percent of the company's users... Last month, the company said it had some 30 million monthly active users, meaning that more than 600,000 were affected by the exposure... Although the company didn't directly disclose the names of its users, many of their names could be intuited from their email addresses. Some appeared to be in the format of "first name.last name" or "first initial plus last name."
A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously and we know this is not what is expected of us. It certainly isn't how we intend to operate."

companies always say the same thing

We take the privacy of our users very seriously

Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".

Uhmm... no, clearly you do not. If you did, then you would not have exposed their email addresses in this manner. This is the opposite of "taking privacy seriously".

Stop saying this, companies. It does not make it better. What makes it better is to demonstrate through actions and policies that you actually do take privacy seriously. There are ways to do this. Not perfect ways, but very good ways. Follow them. Then, and only then can you say this and then look yourself in the mirror with a clear conscience.

Such a mistake was presumably not intentional, but with actual good security practices, this would not have been possible without considerable effort to circumvent the security practices in place. Put them in place. THEN come tell us you "take privacy seriously". We don't care about the words. We care about the actions.

Bad but not so bad

[ark1]

Emails addresses were exposed, that is bad news for sure. However it does not look like you can actually accurately tie the email address with reviews.

Re:Bad but not so bad

[Calydor]

Boss of Company has suspected Employee of writing a really bad review but has no evidence.

Employee is suddenly confirmed as a member of GlassDoor.com.

Employee is fired.

The person or persons responsible...

For this egregious error will have no lasting consequences applied to them.

Don't get me wrong. The low cost Indian PR firm or intern that was hired to deal with this issue will be fired. but the CEO who brought down the cost cutting measures that ment they had to hire the cut rate Indian firm/interns will simply get a rise.

Noting to see here please move along.

To their credit they are called the glass door

[140Mandak262Jamuna]

If they wanted to suggest some kind of privacy to the their users they would have called their site opaque door or at least frosted glass door.

Bankrupcy

[whoever57]

Glassdoor deserves to go bankrupt and shut down over this. They have spectacularly failed in the one thing they should have done: keeping the identity of their posters secret.

Re:That's what you get.

[ragahast]

How dare these peons communicate about their earnings and working conditions?! Don't they know a desperate reserve labor force is critical to our economy?

Re:Just because you have access

[Obfuscant]

It's generally done by some dead-end user that CC's instead of BCC's

You should be aware that BCC is not a guarantee that others will not see addresses. RFC5322 says: " The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message." This SOUNDS like it should be safe to use for sending messages to a lot of people without anyone knowing who else got it, but it isn't. RFC5322 talks about three common ways that mail systems deal with BCC, and says:

In the second case, recipients specified in the "To:" and "Cc:" lines each are sent a copy of the message with the "Bcc:" line removed as above, but the recipients on the "Bcc:" line get a separate copy of the message containing a "Bcc:" line. (When there are multiple recipient addresses in the "Bcc:" field, some implementations actually send a separate copy of the message to each recipient with a "Bcc:" containing only the address of that particular recipient.)

The last sentence implies that some mail systems contain the full BCC line in copies sent to those BCC addresses. (Only "some" create individual BCC lines.) It does not use the mandates of "MUST" or "MUST NOT", so conforming implementations can actually show you, as a BCC recipient, the entire list of other BCC recipients. And I've seen that behaviour.

This is one of those areas where people assume the standards say one thing but actually don't. Like idiot web page designers who think they know the list of acceptable characters in an email address and yet they prohibit "+".

Uh huh

[Ol+Olsoc]

A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously

No you don't you stupid assholes. Because you just showed how frivolously you take their privacy by telling the world who they are, in as mindlessly careless a way as can be imagined.

May all of your employees find new jobs, and may you go out of business in as humiliating a way as possible.

Re:Just because you have access

[Obfuscant]

In those cases, I have always wondered why the devs try to do this in the first place. In almost all cases, you can ask the e-mail server whether it's a valid address.

The web page designers are pushing the test onto the client so 1) there is immediate response as the user types it in and he can fix it if it truly is a mistake before moving on, and 2) it puts the computation onto the client and doesn't waste a PUT and their server's time with what may be invalid data.

I've looked at the javascript source for this on several pages. It's all the same. And I've given the correct code to at least one site, telling them "add the following lines". It's a virus coming from somewhere that they are copying and assuming it must be right and their customer (who has done this kind of thing for more than two decades) must be wrong.

It can't be pushed onto a mail server, because the javascript has no standard way of asking one. There is no way to even guarantee that the client system is running a mail server to ask.

It's not doing the routing or delivery and has no business telling anyone what's valid e-mail or not.

I have had lengthy email exchanges with the support people at such websites, and it is always fun for them to tell me that "+" is not a valid character in an email address when they are happily conversing with someone who has a "+" in his email address. Obviously it is valid; obviously they are idiots.

Re:That's what you get.

[Antique+Geekmeister]

> Anonymous rating/review sites are ripe for abuse and slander

They're also priceless for due diligence by new employees, or for safely publishing thoughts about toxic workplaces. I used to regularly review the old "www.fuckedcompany.com" website for the real inner doings of clients, especially pending layoffs that might affect contracts with them.

something wrong with this picture

[ihtoit]

let me break it down like this: an anonymous website where you have to give a valid email address tied to you the person is NOT anonymous.