Stadia Maps Privacy Fail
View Markdown Other ArticlesArticle written by a human: Mike Cardwell
This is a tale as old as email, but it made me laugh so I thought I'd share it. I have an account with https://stadiamaps.com. I don't even remember setting it up, so it's certainly not something I've used in a long time.
Anyway, I received an email from them today:
Subject: [Legal Notice] We've updated our legal docs
It contains information about how they've updated their Terms of Service, Privacy Policy and published a new Data Processing Addendum. According to the email, this is for my protection. Also:
Our privacy stance has not changed: it remains fiercely privacy-first.
Fiercely privacy-first. Impressive! Can you guess what they did? Yeah... They put 1,000 of their users email addresses right there in the To header. Luckily I used a custom email address for them, as I do for all companies, so it doesn't matter that my email was leaked:
Just over an hour later, I received this from their CEO, Luke Seelenbinder:
I'm writing to let you know that the Legal Notice email I sent earlier today was sent with multiple recipient addresses visible in the To field. That was my mistake, and I'm incredibly sorry.
Ouch. I bet you're not having a good day.
I want to be straightforward: your email address was visible to some of the other recipients of that message. No other personal data was exposed.
If you wanted to be straightforward you would have said ~1,000 instead of "some".
We've taken steps to prevent this from happening again. I'd ask that you please delete the original message and do not use the recipient list for any purpose.
Good luck with that.
We build our business on privacy as a principle. That makes this mistake especially frustrating, and it's one I take personally. You deserve better.
How do you, "build your business on privacy as a principle?" The same way as every other business that, "takes my privacy seriously" I bet. Easiest claim in the World to make.
If you have any questions or concerns, reply directly to this email and I'll respond personally.
At least you didn't include 1,000 emails in your second email's To header I suppose.
I guess it's not entirely his fault. The email was sent through Mailgun. How does Mailgun not prevent this from happening? Crazy.