Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
1. A user signs up to BrowserStack
2. BrowserStack (automatically) upload the submitted user’s information to Apollo
3. Apollo “enrich” the user’s details using information they already have about the person, e.g: company revenue, LinkedIn profile
4. Sales reps at BrowserStack use the enriched information to identify leads, bucket for marketing etc.
Apollo’s customer data sharing adds any information BrowserStack send to Apollo to the person’s profile with Apollo, accessible to all Apollo customers.
For example, any other Apollo customer can search something like “email addresses for decision makers at Example, Inc.” and get back a list including your email address (if you told BrowserStack you are a decision maker at Example, Inc.)
Every single marketing team is doing all of this, the only reason it was obvious in this case is that the OP used a unique email address for BrowserStack. If you sign up for any business product online, you surely have a profile in Apollo filled with details about you gathered from around the web (and details you submitted).
edit: https://www.apollo.io/privacy-policy/remove opt out link but Apollo are just one of many companies offering this service
In that time I have had 'leaks' twice: my State's Fish and Wildlife licensing organ, and GitHub. In both cases I assume it's more that the email ends up being public, not because of something like Apollo.
I guess it's possible that spam is getting filtered before it ever hits my inbox.
Edit: I was responding to the idea of it leading to spam, not that Apollo wasn't collecting information on me.
For those curious: I signed up with Apollo and looked at what they had on me (via the link in the flagged/dead post by fontain). The email address they have is technically correct, but it's a non-current work email. It's still active and I do get a lot of senseless/bizarre business sales inquiries on that address. The phone number they have is wrong and I don't recognize it. They have my LinkedIn byline; it's likely how I was 'found' so quickly, as my username is the same there. I'm listed as cold.
I did a search (DDG, Chromium) for an Anker product line that I've been following. Clicked the link to Anker, skimmed, nothing new.
Then shortly I get an email from "Checkmate" with a promo offer.
I don't have an Anker account or whatever, don't recall signing in. I figure it's fingerprinting or cookies, but so far it's never been so overt.
I feel like this is an indicator of something, some sea change. Of needing to squeeze more water from the stone. My phone's been blowing up with spam calls since. I've been mysteriously added to email lists. I'm getting short-code text spam in addition to the regular spam, which when I report to 7726, AT&T basically tells me it's fine, it's paid for.
This may be a ploy to get me to turn the AI features back on in Gmail, but it feels like somewhere, lines have been crossed.
I have had the same work email address for 13 years. I have done lots of hardware and software purchasing in that time, and I am never shy of using my work email to sign up for things and give to account managers etc. It is used on my microsoft SSO, my Dell business account, my slack account etc etc.
After I jumped through all their hoops to opt out, I got this email from them:
"We searched our records with your email: xxx@xxxxxx but could not find any information associated to it in our databases. We will keep your email: xxx@xxxxxx in our suppression list in order not to create any data associated with your email. "
So I guess they might not be as ubiquitous in their data capture as you may have thought? Or they are straight up lying.
5. BrowserStack gets hit by a massive GDPR fine.
ZoomInfo is the most aggressive about this.
re apollo: inbox scraping is what they're describing here [1]
> Apollo does leverage its large network of over 2 million contributors to improve the scope and accuracy of its database of business contact information and run verification checks that result in a better user experience for its entire customer base. Most of the data we collect from our Apollo users simply forms part of our verification system to check and confirm existing information in the Apollo database.
[1] https://knowledge.apollo.io/hc/en-us/articles/20727684184589...
The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
If only.
I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.
Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.
As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?
No I'm not trying to hack you.
Which in hindsight is also what a hacker would say. I can't win...
Even if it's a "new" alias, I often see people[1] using simple schemes to derive the address, eg. facebook@mydomain.example. With cheap LLMs it's not hard to automatically guess what the underlying pattern is.
edit:
[1] ie. in this very thread
> A third-party service used by BrowserStack siphons off information to send to others.
> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.
Or the simpler answer, their db/email list has been compromised.
> Or the simpler answer, their db/email list has been compromised.
I find the first option far simpler.
It’s not. I give a unique email address to every service I register with, which means I can see who is leaking my email address. Very few of them leak my email address at all, and those that do tend to do so involuntarily through data breaches.
The other main factors in spam are the sleazeballs at Apollo, ZoomInfo, et al., services that use my email address internally for more than I consented (if I use my email address to register for a service, this does not permit that service to add me to their product mailing list), and the spammers who guess email addresses based on LinkedIn info (e.g. name + company domain).
The number of services who appear to take an email address I have given them and sell it appear to be extremely rare.
Are there actually companies that will pay you $$$ for a list of emails?
> Consent must be "freely given, specific, informed, and unambiguous."
and
> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
https://knowledge.apollo.io/hc/en-us/articles/4409141087757-...
Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.
In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!
So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).
Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.
I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?
I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.
I think most likely an attacker who has the customer data is using Claude to analyse it.
Caught quite a few leakers that way, by using specific addresses for specific sites or categories of sites
(Last time I tried, Gmail's aliases were useless; they included your real address in the alias!)
Web scanners though aren't people, and easily noticed them, thus building up a database of email addresses to spam people.
It was discovered when a friend mentioned that one of their uniquely generated email addresses was being used by spammers. Similar to this post.
So, we got in contact with the forum people to let them know, and they tracked down + fixed the problem.
Perhaps a similar thing is happening to the article author, rather than purposely malicious behaviour?
Selling email lists is business. Not selling email lists is, in some cases, much smarter, much more hard-nosed business, and is exactly what you would expect from Amazon.
When your only product is email addresses, you will sell them to anybody trying to sell other shit.
When you sell all the possible kinds of shit in the world, why on earth would you enable your competitors by giving them any form of access to your customer list?
I don’t know how to stop it
I'd like to see that concept replicated to other email services. I don't particularly like all the other opinionated choices of Hey.com (especially the fact that you can't use IMAP).
The initial email verification sent to you (“click here to confirm your email address”) includes an attachment requesting an auth token. Emails with this attachment get presented to the user in something akin to a friend request for email, with a consent screen describing how they intend to use your email and for how long. Approving the request hands them a Biscuit token.
The sender attenuates this token when sending email to you or when sharing with a third party provider like Mailchimp. Any emails authorised by a token automatically skip all spam filters. This is the carrot for senders to adopt – they can stop worrying about all the deliverability and IP reputation nonsense and can just send direct from their own servers, reversing the centralisation of email and making it more reliable by skipping spam filter heuristics.
All of these emails have reliable provenance and traceability. If a leak / abuse happens, you can revoke the token and any emails sent with it. Senders can also proactively revoke any tokens provided to third-parties in case they were breached, without affecting the sender’s ability to send themselves or through other providers.
Once a critical mass hits, you can auto-deny anything without a token. At this point, all the email you receive is from somebody who has obtained your explicit consent to do so.
I imagine this can be achieved with most mailboxes with a simple deny all rule and then cherry picking email addresses to whitelist.
