Slashdot Mirror
Glassdoor Exposes 600,000 Email Addresses (siliconbeat.com)
A web site where users anonymously review their employer has exposed the e-mail addresses -- and in some cases the names -- of hundreds of thousands of users. An anonymous reader quotes an article from Silicon Beat:
On Friday, the company sent out an email announcing that it had changed its terms of service. Instead of blindly copying email recipients on the message, the company pasted their addresses in the clear. Each message recipient was able to see the email addresses of 999 other Glassdoor users...
Ultimately, the messages exposed the addresses of more than 2 percent of the company's users... Last month, the company said it had some 30 million monthly active users, meaning that more than 600,000 were affected by the exposure... Although the company didn't directly disclose the names of its users, many of their names could be intuited from their email addresses. Some appeared to be in the format of "first name.last name" or "first initial plus last name."
A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously and we know this is not what is expected of us. It certainly isn't how we intend to operate."
Ultimately, the messages exposed the addresses of more than 2 percent of the company's users... Last month, the company said it had some 30 million monthly active users, meaning that more than 600,000 were affected by the exposure... Although the company didn't directly disclose the names of its users, many of their names could be intuited from their email addresses. Some appeared to be in the format of "first name.last name" or "first initial plus last name."
A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously and we know this is not what is expected of us. It certainly isn't how we intend to operate."
We take the privacy of our users very seriously
Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".
Uhmm... no, clearly you do not. If you did, then you would not have exposed their email addresses in this manner. This is the opposite of "taking privacy seriously".
Stop saying this, companies. It does not make it better. What makes it better is to demonstrate through actions and policies that you actually do take privacy seriously. There are ways to do this. Not perfect ways, but very good ways. Follow them. Then, and only then can you say this and then look yourself in the mirror with a clear conscience.
Such a mistake was presumably not intentional, but with actual good security practices, this would not have been possible without considerable effort to circumvent the security practices in place. Put them in place. THEN come tell us you "take privacy seriously". We don't care about the words. We care about the actions.
Boss of Company has suspected Employee of writing a really bad review but has no evidence.
Employee is suddenly confirmed as a member of GlassDoor.com.
Employee is fired.
-=This sig has nothing to do with my comment. Move along now=-