Glassdoor Exposes 600,000 Email Addresses (siliconbeat.com) 94
A web site where users anonymously review their employer has exposed the e-mail addresses -- and in some cases the names -- of hundreds of thousands of users. An anonymous reader quotes an article from Silicon Beat:
On Friday, the company sent out an email announcing that it had changed its terms of service. Instead of blindly copying email recipients on the message, the company pasted their addresses in the clear. Each message recipient was able to see the email addresses of 999 other Glassdoor users...
Ultimately, the messages exposed the addresses of more than 2 percent of the company's users... Last month, the company said it had some 30 million monthly active users, meaning that more than 600,000 were affected by the exposure... Although the company didn't directly disclose the names of its users, many of their names could be intuited from their email addresses. Some appeared to be in the format of "first name.last name" or "first initial plus last name."
A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously and we know this is not what is expected of us. It certainly isn't how we intend to operate."
Ultimately, the messages exposed the addresses of more than 2 percent of the company's users... Last month, the company said it had some 30 million monthly active users, meaning that more than 600,000 were affected by the exposure... Although the company didn't directly disclose the names of its users, many of their names could be intuited from their email addresses. Some appeared to be in the format of "first name.last name" or "first initial plus last name."
A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously and we know this is not what is expected of us. It certainly isn't how we intend to operate."
No one should be surprised (Score:1, Funny)
They have a glass door policy there.
Re: (Score:1)
The wonderful thing about posting anonymously is that, from a purely objective perspective, ideas have to stand on their own merits. Nothing can be subjective. This is why winning an argument on the internet is like pissing in an ocean of piss, as we've seen in the above 5 posts.
When you try to get into empirical proof, especially anything having to do with history, then you need reputation because nobody ever invests in science for the good of mankind and because people will choose what they want to beli
Re: (Score:1)
Are you saying this lass is attired such that her teats are visible through the fabric of their clothing? And she may be of loose moral character? Might be worth going in for an interview even with no intent of working there.
companies always say the same thing (Score:5, Insightful)
We take the privacy of our users very seriously
Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".
Uhmm... no, clearly you do not. If you did, then you would not have exposed their email addresses in this manner. This is the opposite of "taking privacy seriously".
Stop saying this, companies. It does not make it better. What makes it better is to demonstrate through actions and policies that you actually do take privacy seriously. There are ways to do this. Not perfect ways, but very good ways. Follow them. Then, and only then can you say this and then look yourself in the mirror with a clear conscience.
Such a mistake was presumably not intentional, but with actual good security practices, this would not have been possible without considerable effort to circumvent the security practices in place. Put them in place. THEN come tell us you "take privacy seriously". We don't care about the words. We care about the actions.
Re: (Score:2)
If they took it seriously, they'd buy some competence.
Re: companies always say the same thing (Score:1)
Competence is a thing most only discover they don't have until after they needed it.
Re: (Score:2)
Re: (Score:2)
Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".
At this point, it's not even spin anymore, but etiquette. Much like after tragedies, politicians say that their thoughts are with the families. Or you saying "I'm fine, how are you" or "call me and let's have coffee". Everybody knows it's a lie, but you're supposed to go through with it anyhow, as etiquette greases the wheels and helps prevent escalations.
Re: (Score:2)
When they say "We take X seriously" they mean "We care about appearing to take X seriously".
Re: (Score:2)
That's what you get. (Score:1, Insightful)
Re: (Score:2)
Re: (Score:1)
You shouldn't try to talk shit about anyone behind their back. Anonymous rating/review sites are ripe for abuse and slander, and the info should be taken with a grain of salt, if not ignored altogether.
Yes. But there may be something to it too.
I would never publicly expose an employer for anything - even if I had proof - because I would become unemployable. And suing and getting compensation under whistle blower laws? Well, it better be enough to allow me to live well for the rest of my life AND cover any other legal expenses I may incur if my ex-employer decides to come after me for something.
Here's what happens to many [cbsnews.com] and I'm trying to find the Economist article they did years that told of one pers
Re: (Score:1)
I think the point was 'living in the US'.
Here in the "free" world, exposing your employee for whatever might get you fired. But sued? The idea is ridiculous.
And if what expose is actually illegal, how could you get fired for it?
And even if you did get fired it wouldn't imply 'not eating' or 'being homeless'.
Its a culture difference, I guess.
Re:That's what you get. (Score:4)
> Anonymous rating/review sites are ripe for abuse and slander
They're also priceless for due diligence by new employees, or for safely publishing thoughts about toxic workplaces. I used to regularly review the old "www.fuckedcompany.com" website for the real inner doings of clients, especially pending layoffs that might affect contracts with them.
Monster lawsuit on the horizon.... (Score:1)
Re: (Score:2)
It's called Navel Gazing, not Navy Gazing.
Bad but not so bad (Score:3)
Re:Bad but not so bad (Score:5, Interesting)
Boss of Company has suspected Employee of writing a really bad review but has no evidence.
Employee is suddenly confirmed as a member of GlassDoor.com.
Employee is fired.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
That just might be the case. Most of the names might be burner accounts. Or do I have too much faith in people?
Re: (Score:2)
That just might be the case. Most of the names might be burner accounts. Or do I have too much faith in people?
You do.
A large amount of people are both lazy and ignorant. Which is probably why they posted at glassdoor in the first place, after being passed for promotions or bonuses, or being replaced by a very small shell script.
Chances are that a great many of these people not only used their real name in their e-mail, but posted from company computers, with the access and data logged. And the only reason they haven't been fired already is that IT doesn't have capacity to wade through all the crap that management
Re: (Score:2)
"Number," not "amount." "People" is a countable noun.
Is there a term for people trying to be pedants, but not being pedantic enough?
in short, you're wrong. While "people" is sometimes used as a substitute for "persons", that does not transform it into a countable. In its singular form, it is still a group noun, like "money" or "slime".
There is indeed an error in the sentence you criticized, but it's with using "are" instead of "is", and not using "amount" instead of "number".
Re: (Score:2)
Nope. Those are mass nouns. Perhaps you meant collective nouns? Not that either. A collective noun is like a platoon (made of soldiers) or a flock (made of sheep).
Maybe this is why "27 people" makes sense, but "31 money" or "4 slime" don't.
Collective or individual (Score:2)
There is indeed an error in the sentence you criticized, but it's with using "are" instead of "is", and not using "amount" instead of "number".
Interesting, but you're only half right.
"A large number of people are both lazy and ignorant" is grammatically correct.
"A large amount of people is both lazy and ignorant" is also arguably correct.
But it says a different thing. The first sentence says that there are many people who are, individually, both lazy and ignorant. The phrase "lazy and ignorant" applies to the individuals in the group. The second sentence says that the subject of the sentence, "a large amount of people" considered as a single
Re: (Score:2)
Re: (Score:1)
I still don't understand. By now you should that these "breaches" are an everyday thing. Why would you ever give your real name and/or card?
The person or persons responsible... (Score:2, Insightful)
For this egregious error will have no lasting consequences applied to them.
Don't get me wrong. The low cost Indian PR firm or intern that was hired to deal with this issue will be fired. but the CEO who brought down the cost cutting measures that ment they had to hire the cut rate Indian firm/interns will simply get a rise.
Noting to see here please move along.
To their credit they are called the glass door (Score:5, Funny)
Just because you have access (Score:2)
This happens all the time. It's generally done by some dead-end user that CC's instead of BCC's a group of people he knows the latest greatest cat video, or even better, a forward this email and receive $$ (or save the children) email. Even more funny is when this is caused by malware installed by some executable executed by said user that is repetitively spewing out garbage email to everyone on the address list or even worse is used on a botnet.
The only reason this is brought to light is the said d
Re: (Score:3)
It's generally done by some dead-end user that CC's instead of BCC's
You should be aware that BCC is not a guarantee that others will not see addresses. RFC5322 [rfc-editor.org] says: " The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message." This SOUNDS like it should be safe to use for sending messages to a lot of people without anyone knowing who else got it, but it isn't. RFC5322 talks about three common ways that mail systems deal with BCC, and says:
Re: (Score:2)
This is one of those areas where people assume the standards say one thing but actually don't. Like idiot web page designers who think they know the list of acceptable characters in an email address and yet they prohibit "+".
In those cases, I have always wondered why the devs try to do this in the first place. In almost all cases, you can ask the e-mail server whether it's a valid address. And even if the mail server isn't 100% standard, it will tell you whether it can parse the address, which is almost always what you want to know anyhow.
If the e-mail server accepts [10.20.30.40]!hub!node1!user as an e-mail address, why should the web app care? It's not doing the routing or delivery and has no business telling anyone what's
Re: (Score:3)
In those cases, I have always wondered why the devs try to do this in the first place. In almost all cases, you can ask the e-mail server whether it's a valid address.
The web page designers are pushing the test onto the client so 1) there is immediate response as the user types it in and he can fix it if it truly is a mistake before moving on, and 2) it puts the computation onto the client and doesn't waste a PUT and their server's time with what may be invalid data.
I've looked at the javascript source for this on several pages. It's all the same. And I've given the correct code to at least one site, telling them "add the following lines". It's a virus coming from somew
Re: (Score:2)
The web page designers are pushing the test onto the client so 1) there is immediate response as the user types it in and he can fix it if it truly is a mistake before moving on, and 2) it puts the computation onto the client and doesn't waste a PUT and their server's time with what may be invalid data.
That's all kinds of dumb, given that the client can modify the javascript and tell it that an address is validated. So it must be verified at the server end too, anyhow.
I have had lengthy email exchanges with the support people at such websites, and it is always fun for them to tell me that "+" is not a valid character in an email address when they are happily conversing with someone who has a "+" in his email address. Obviously it is valid; obviously they are idiots.
Try using an e-mail address with @ in the local part...
Or having an e-mail address on a TLD, like hostmaster@museum.
It's not for the sender to decide what's valid. It should decide whether it's routeable, and leave it up to recipient to decide whether it's valid.
And it's certainly not up to a web page that isn't even the sender.
I'm also ir
Re: (Score:2)
So it must be verified at the server end too, anyhow.
Most people are not going to know how to modify the javascript, and it isn't trivial anyway. The code isn't verifying the address, it is validating the syntax. You can't verify an address without actually trying to send to it.
It's not for the sender to decide what's valid.
If you can properly manage RFC5322, there is no reason not to flag invalid syntax as soon as possible. The failure is people who ignore the standards, or are working in a job where knowledge of the standards is critical and they just don't care.
Bankrupcy (Score:4, Insightful)
Re: (Score:2)
Glassdoor deserves to go bankrupt and shut down over this.
Nope. Always use a burner email address! Glassdoor is pretty much the only service that exposes toxic employer practices. These employers go to great lengths to hide and misrepresent employment engagements in the name of apathetic profits. It's the only way Americans have to keep employers held to some standard of employment environments in the white collar world especially.
Burned yet again (Score:1)
Democrats have the worse luck with email. Time to switch to smoke signals perhaps?
Uh huh (Score:3)
No you don't you stupid assholes. Because you just showed how frivolously you take their privacy by telling the world who they are, in as mindlessly careless a way as can be imagined.
May all of your employees find new jobs, and may you go out of business in as humiliating a way as possible.
Re: (Score:2)
May all of your employees find new jobs, [...]
<pendant>
Well, except for the ones that are responsible for this, be they technical, legal or managerial.
</pendant>
every time (Score:2)
I have witnessed this sort of thing happen either at an employer or at a client business, it occurred shortly after the hiring of a bubbly new young marketing coordinator.
Re: (Score:2)
Older sales directors do it too. I'd consider writing about it, but it wasn't _my_ company's sales director.
Glad to see this covered here (Score:2)
Obviously (Score:2)
Glass doors in my house have been exposing my bare ass for years.
I always forget some mundane detail! (Score:2)
something wrong with this picture (Score:4, Insightful)
let me break it down like this: an anonymous website where you have to give a valid email address tied to you the person is NOT anonymous.