Ad-blocking tool Ghostery suffered from a pretty impressive, self-inflicted screw-up Friday when the privacy-minded company accidentally carbon copied hundreds of its users in an email, revealing their addresses to all recipients.
Screenshot: YouTube
Fittingly, the inadvertent data exposure came in the form of an email updating Ghostery users about the company’s data collection policies. The ad blocker was sending out the message to affirm its commitment to user privacy as the European Union’s digital privacy law, known as the General Data Protection Regulation (GDPR), goes into effect.
The email arrived in inboxes with the subject line “Happy GDPR Day — We’ve got you covered!” In the body of the email, the company informed users, “We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.”
What Ghostery likely didn’t intend to do was immediately expose all of its users. CCed to the email were hundreds of other recipients, their emails all readily viewable to others receiving the message. Ghostery users took to social media to complain about the exposure.
HELL YES @Ghostery JUST SENT ME A GDPR EMAIL WITH FIVE HUNDRED EMAIL ADDRESSES CC’ED ON IT!! THANKS GHOSTERY!!!! pic.twitter.com/y0Xas28wd1
— Linguica (@andrewrstine) May 25, 2018
Ehi @Ghostery you know that when you sent me your GDPR email you put the other recipients in cc and not in bcc?
— Ah OK (@metapapero) May 25, 2018
Wtf, did @Ghostery really just send out their #GDPR email with users‘ email address visible to everyone?! #GDPRfail pic.twitter.com/kURlhoQOtY
— Sebastian Waters (@sebastianwaters) May 25, 2018
Ghostery says they’ve got you covered by sending you an email. One that shows your email id with hundreds of other email addresses on it. ???? #gdprfail pic.twitter.com/ef8Gs7mwqE
— Nends (@Nendsannvw) May 25, 2018
GG @Ghostery, you definitely do have our backs! LOL
Looks like you leaked your recipients#GDPR #Privacy #Security pic.twitter.com/eOQJNIbxqW— /home/$USER (@init3_) May 25, 2018
Gizmodo spoke to three Ghostery users who received the GDPR email from the company and had their emails revealed in the CC line of the message. All three confirmed that they had yet to receive any follow up from Ghostery regarding the situation. Gizmodo also reached out to Ghostery but did not receive a reply.
Amazingly, all three users said no one had replied to the email yet, sparing the hundreds of other recipients from being caught in an endless reply allpocalypse. “In one of the most stunning displays of humanity I have ever seen, no one has yet reply-all’d with a snarky comment,” Twitter user Linguica said in a DM.
Most of the users who spoke about the incident said they would continue using Ghostery. Dan Previte, a web developer from Chicago and Ghostery user, told Gizmodo he would continue using the tool but noted, “It does make me think their dev team is maybe not great at protecting my personal information. So I’d be less likely to allow them to collect usage data or something.”
One user going by /home/$USER said they had just signed up for Ghostery Friday to run some tests with the tool and has already dropped it.
While the email fuck up was likely a simple mistake, Ghostery, which blocks trackers scattered on websites that collect personal data from users, has come under fire for some of its practices in the past. For nearly a year, the company faced criticism for selling anonymized user data to businesses.
It has since changed to a business model that sells analytics data about ads and offers an affiliate marketing program to users.