# Stadia Maps Privacy Fail


This is a tale as old as email, but it made me laugh so I thought I'd share it.
I have an account with [https://stadiamaps.com](https://stadiamaps.com). I
don't even remember setting it up, so it's certainly not something I've used in
a long time.

Anyway, I received an email from them today:

> Subject: [Legal Notice] We've updated our legal docs

It contains information about how they've updated their Terms of Service,
Privacy Policy and published a new Data Processing Addendum. According to the
email, this is for my protection. Also:

> Our privacy stance has not changed: it remains fiercely privacy-first.

__Fiercely__ privacy-first. Impressive! Can you guess what they did? Yeah...
They put 1,000 of their users email addresses right there in the To header.
Luckily I used a custom email address for them, as I do for all companies, so
it doesn't matter that my email was leaked:

Just over an hour later, I received this from their CEO,
[Luke Seelenbinder](https://ee.linkedin.com/in/lukeseelenbinder):

> I'm writing to let you know that the Legal Notice email I sent earlier today
> was sent with multiple recipient addresses visible in the To field. That was
> my mistake, and I'm incredibly sorry.

Ouch. I bet you're not having a good day.

> I want to be straightforward: your email address was visible to some of the
> other recipients of that message. No other personal data was exposed.

If you wanted to be straightforward you would have said ~1,000 instead
of "some".

> We've taken steps to prevent this from happening again. I'd ask that you
> please delete the original message and do not use the recipient list for
> any purpose.

Good luck with that.

> We build our business on privacy as a principle. That makes this mistake
> especially frustrating, and it's one I take personally. You deserve better.

How do you, "build your business on privacy as a principle?" The same way as
every other business that, "takes my privacy seriously" I bet. Easiest claim
in the World to make.

> If you have any questions or concerns, reply directly to this email and I'll
> respond personally.

At least you didn't include 1,000 emails in your second email's To header
I suppose.

I guess it's not entirely his fault. The email was sent through
[Mailgun](https://www.mailgun.com/). How does Mailgun not prevent this from
happening? Crazy.