Ad-blocking tool Ghostery suffered from a pretty impressive, self-inflicted screwup Friday when the privacy-minded company accidentally CCed hundreds of its users in an email, revealing their addresses to all recipients.
Fittingly, the inadvertent data exposure came in the form of an email updating Ghostery users about the company’s data collection policies. The ad blocker was sending out the message to affirm its commitment to user privacy as the European Union’s digital privacy law, known as the General Data Protection Regulation (GDPR), goes into effect.
The email arrived in inboxes with the subject line “Happy GDPR Day — We’ve got you covered!” In the body of the email, the company informed users, “We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.”
What Ghostery likely didn’t intend to do was immediately expose all of its users. CCed to the email were hundreds of other recipients, their emails all readily viewable to others receiving the message. Ghostery users took to social media to complain about the exposure.
— reply-all isn’t funny or clever fyi (@andrewrstine) 25 May 2018
Ehi @Ghostery you know that when you sent me your GDPR email you put the other recipients in cc and not in bcc?
— Ah OK (@metapapero) 25 May 2018
— Sebastian Waters (@sebastianwaters) 25 May 2018
— Nends (@Nendsannvw) 25 May 2018
— /home/$USER (@init3_) 25 May 2018
Gizmodo spoke to three Ghostery users who received the GDPR email from the company and had their emails revealed in the CC line of the message. All three confirmed that they had yet to receive any follow up from Ghostery regarding the situation. Gizmodo also reached out to Ghostery but did not receive a reply.
Amazingly, all three users said no one had replied to the email yet, sparing the hundreds of other recipients from being caught in an endless reply allpocalypse. “In one of the most stunning displays of humanity I have ever seen, no one has yet reply-all’d with a snarky comment,” Twitter user Linguica said in a DM.
Most of the users who spoke about the incident said they would continue using Ghostery. Dan Previte, a web developer from Chicago and Ghostery user, told Gizmodo he would continue using the tool but noted, “It does make me think their dev team is maybe not great at protecting my personal information. So I’d be less likely to allow them to collect usage data or something.” One user going by /home/$USER said they had just signed up for Ghostery Friday to run some tests with the tool and has already dropped it.
While the email screwup was likely a simple mistake, Ghostery, which blocks trackers scattered on websites that collect personal data from users, has come under fire for some of its practices in the past. For nearly a year, the company faced criticism for selling anonymised user data to businesses. It has since changed to a business model that sells analytics data about ads and offers an affiliate marketing programme to users.