Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Social Networks The Internet IT

Glassdoor Exposes 600,000 Email Addresses (siliconbeat.com) 94

A web site where users anonymously review their employer has exposed the e-mail addresses -- and in some cases the names -- of hundreds of thousands of users. An anonymous reader quotes an article from Silicon Beat: On Friday, the company sent out an email announcing that it had changed its terms of service. Instead of blindly copying email recipients on the message, the company pasted their addresses in the clear. Each message recipient was able to see the email addresses of 999 other Glassdoor users...

Ultimately, the messages exposed the addresses of more than 2 percent of the company's users... Last month, the company said it had some 30 million monthly active users, meaning that more than 600,000 were affected by the exposure... Although the company didn't directly disclose the names of its users, many of their names could be intuited from their email addresses. Some appeared to be in the format of "first name.last name" or "first initial plus last name."

A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously and we know this is not what is expected of us. It certainly isn't how we intend to operate."
This discussion has been archived. No new comments can be posted.

Glassdoor Exposes 600,000 Email Addresses

Comments Filter:
  • by Anonymous Coward

    They have a glass door policy there.

  • by Anonymous Coward on Sunday July 24, 2016 @06:44PM (#52572409)

    We take the privacy of our users very seriously

    Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".

    Uhmm... no, clearly you do not. If you did, then you would not have exposed their email addresses in this manner. This is the opposite of "taking privacy seriously".

    Stop saying this, companies. It does not make it better. What makes it better is to demonstrate through actions and policies that you actually do take privacy seriously. There are ways to do this. Not perfect ways, but very good ways. Follow them. Then, and only then can you say this and then look yourself in the mirror with a clear conscience.

    Such a mistake was presumably not intentional, but with actual good security practices, this would not have been possible without considerable effort to circumvent the security practices in place. Put them in place. THEN come tell us you "take privacy seriously". We don't care about the words. We care about the actions.

    • by arth1 ( 260657 )

      Every time. Every time there's some major leak of personal info, emails or credit cards or medical records, we hear the same refrain. "We take the privacy of our users seriously".

      At this point, it's not even spin anymore, but etiquette. Much like after tragedies, politicians say that their thoughts are with the families. Or you saying "I'm fine, how are you" or "call me and let's have coffee". Everybody knows it's a lie, but you're supposed to go through with it anyhow, as etiquette greases the wheels and helps prevent escalations.

    • When they say "We take X seriously" they mean "We care about appearing to take X seriously".

    • It's not even too late to mitigate the breach, or at least it wasn't when they were busy composing that mealy-mouthed non-apology. They could have taken the entire site offline, deleted all user accounts, and sanitized all user account info from the comment database. Then go back online and require all users to start over with new accounts. But they clearly don't take user privacy that seriously.
  • by bjwest ( 14070 )
    You shouldn't try to talk shit about anyone behind their back. Anonymous rating/review sites are ripe for abuse and slander, and the info should be taken with a grain of salt, if not ignored altogether.
    • How dare these peons communicate about their earnings and working conditions?! Don't they know a desperate reserve labor force is critical to our economy?
    • by Anonymous Coward

      You shouldn't try to talk shit about anyone behind their back. Anonymous rating/review sites are ripe for abuse and slander, and the info should be taken with a grain of salt, if not ignored altogether.

      Yes. But there may be something to it too.

      I would never publicly expose an employer for anything - even if I had proof - because I would become unemployable. And suing and getting compensation under whistle blower laws? Well, it better be enough to allow me to live well for the rest of my life AND cover any other legal expenses I may incur if my ex-employer decides to come after me for something.

      Here's what happens to many [cbsnews.com] and I'm trying to find the Economist article they did years that told of one pers

    • by Antique Geekmeister ( 740220 ) on Monday July 25, 2016 @12:51AM (#52573403)

      > Anonymous rating/review sites are ripe for abuse and slander

      They're also priceless for due diligence by new employees, or for safely publishing thoughts about toxic workplaces. I used to regularly review the old "www.fuckedcompany.com" website for the real inner doings of clients, especially pending layoffs that might affect contracts with them.

  • ....the execs of Glassdoor see this and hop onto the escape jet to an undisclosed tropical island
  • by ark1 ( 873448 ) on Sunday July 24, 2016 @06:57PM (#52572465)
    Emails addresses were exposed, that is bad news for sure. However it does not look like you can actually accurately tie the email address with reviews.
    • by Calydor ( 739835 ) on Sunday July 24, 2016 @07:17PM (#52572563)

      Boss of Company has suspected Employee of writing a really bad review but has no evidence.

      Employee is suddenly confirmed as a member of GlassDoor.com.

      Employee is fired.

      • by ark1 ( 873448 )
        If an employer is suspecting an employee of writing a bad review, that employee would likely be gone long before the leak. This said there is for sure a chance, albeit in odd cases.
      • by Kneo24 ( 688412 )
        I was one of the people affected by this. You can only see about a thousand emails or so in the sent list. Your chances of this scenario happening are 1 in 600.
  • by Anonymous Coward

    For this egregious error will have no lasting consequences applied to them.

    Don't get me wrong. The low cost Indian PR firm or intern that was hired to deal with this issue will be fired. but the CEO who brought down the cost cutting measures that ment they had to hire the cut rate Indian firm/interns will simply get a rise.

    Noting to see here please move along.

  • If they wanted to suggest some kind of privacy to the their users they would have called their site opaque door or at least frosted glass door.
  • This happens all the time. It's generally done by some dead-end user that CC's instead of BCC's a group of people he knows the latest greatest cat video, or even better, a forward this email and receive $$ (or save the children) email. Even more funny is when this is caused by malware installed by some executable executed by said user that is repetitively spewing out garbage email to everyone on the address list or even worse is used on a botnet.

    The only reason this is brought to light is the said d

    • It's generally done by some dead-end user that CC's instead of BCC's

      You should be aware that BCC is not a guarantee that others will not see addresses. RFC5322 [rfc-editor.org] says: " The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message." This SOUNDS like it should be safe to use for sending messages to a lot of people without anyone knowing who else got it, but it isn't. RFC5322 talks about three common ways that mail systems deal with BCC, and says:

      In t

      • by arth1 ( 260657 )

        This is one of those areas where people assume the standards say one thing but actually don't. Like idiot web page designers who think they know the list of acceptable characters in an email address and yet they prohibit "+".

        In those cases, I have always wondered why the devs try to do this in the first place. In almost all cases, you can ask the e-mail server whether it's a valid address. And even if the mail server isn't 100% standard, it will tell you whether it can parse the address, which is almost always what you want to know anyhow.
        If the e-mail server accepts [10.20.30.40]!hub!node1!user as an e-mail address, why should the web app care? It's not doing the routing or delivery and has no business telling anyone what's

        • In those cases, I have always wondered why the devs try to do this in the first place. In almost all cases, you can ask the e-mail server whether it's a valid address.

          The web page designers are pushing the test onto the client so 1) there is immediate response as the user types it in and he can fix it if it truly is a mistake before moving on, and 2) it puts the computation onto the client and doesn't waste a PUT and their server's time with what may be invalid data.

          I've looked at the javascript source for this on several pages. It's all the same. And I've given the correct code to at least one site, telling them "add the following lines". It's a virus coming from somew

          • by arth1 ( 260657 )

            The web page designers are pushing the test onto the client so 1) there is immediate response as the user types it in and he can fix it if it truly is a mistake before moving on, and 2) it puts the computation onto the client and doesn't waste a PUT and their server's time with what may be invalid data.

            That's all kinds of dumb, given that the client can modify the javascript and tell it that an address is validated. So it must be verified at the server end too, anyhow.

            I have had lengthy email exchanges with the support people at such websites, and it is always fun for them to tell me that "+" is not a valid character in an email address when they are happily conversing with someone who has a "+" in his email address. Obviously it is valid; obviously they are idiots.

            Try using an e-mail address with @ in the local part...
            Or having an e-mail address on a TLD, like hostmaster@museum.

            It's not for the sender to decide what's valid. It should decide whether it's routeable, and leave it up to recipient to decide whether it's valid.
            And it's certainly not up to a web page that isn't even the sender.

            I'm also ir

            • So it must be verified at the server end too, anyhow.

              Most people are not going to know how to modify the javascript, and it isn't trivial anyway. The code isn't verifying the address, it is validating the syntax. You can't verify an address without actually trying to send to it.

              It's not for the sender to decide what's valid.

              If you can properly manage RFC5322, there is no reason not to flag invalid syntax as soon as possible. The failure is people who ignore the standards, or are working in a job where knowledge of the standards is critical and they just don't care.

  • Bankrupcy (Score:4, Insightful)

    by whoever57 ( 658626 ) on Sunday July 24, 2016 @07:24PM (#52572589) Journal
    Glassdoor deserves to go bankrupt and shut down over this. They have spectacularly failed in the one thing they should have done: keeping the identity of their posters secret.
    • by zifn4b ( 1040588 )

      Glassdoor deserves to go bankrupt and shut down over this.

      Nope. Always use a burner email address! Glassdoor is pretty much the only service that exposes toxic employer practices. These employers go to great lengths to hide and misrepresent employment engagements in the name of apathetic profits. It's the only way Americans have to keep employers held to some standard of employment environments in the white collar world especially.

  • Democrats have the worse luck with email. Time to switch to smoke signals perhaps?

  • by Ol Olsoc ( 1175323 ) on Sunday July 24, 2016 @09:08PM (#52572883)
    A Glassdoor spokesperson said "We are extremely sorry for this error. We take the privacy of our users very seriously

    No you don't you stupid assholes. Because you just showed how frivolously you take their privacy by telling the world who they are, in as mindlessly careless a way as can be imagined.

    May all of your employees find new jobs, and may you go out of business in as humiliating a way as possible.

    • May all of your employees find new jobs, [...]

      <pendant>

      Well, except for the ones that are responsible for this, be they technical, legal or managerial.

      </pendant>

      :-)

  • I have witnessed this sort of thing happen either at an employer or at a client business, it occurred shortly after the hiring of a bubbly new young marketing coordinator.

  • I was one of the people 'exposed', it was sent directly 'To:' myself and a large number (guessing 998) other addresses. Immediately realized this could expose people..gah..
  • Glass doors in my house have been exposing my bare ass for years.

  • ...like the decimal point or in this case, the infamous second letter of the alphabet: B
  • by ihtoit ( 3393327 ) on Monday July 25, 2016 @06:34AM (#52574093)

    let me break it down like this: an anonymous website where you have to give a valid email address tied to you the person is NOT anonymous.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...