Posted by Ethereal on November 5, 2023 at 5:47 PM UTC.
So, we screwed up. A shift in how we notify users led to our first batch mailing test for Happy Holidays to be sent today; where it rapidly became apparent that there was a misconfiguration of everybody being sent emails via the to field, as opposed to the bcc field. This means that other people could see the email addresses of other users (within a group of 750 users).
As it stands, we are indefinitely freezing all development on the platform until we decide the next steps following this breach; and following the outcome of the report to the ICO.
Timeline of Events
At 1651, we used our new batch mailing software to send out a notification that Happy Holidays was live for registration.
At 1700, we were made aware that this had inadvertently exposed user email addresses to other users on the platform.
At 1728, we completed a report to the ICO (https://ico.org.uk/) to report this breach to them; and took the step to freeze all development.
At 1736, we realised we sent the emails in chunks of 750; which limits exposure.
If you are worried about your data, you can take the following steps to remove your account from the platform:
Navigate to the My Account page.
Click Security.
Click Delete Account. We will be prioritising deletion requests as a matter of urgency in the next 10 days.
As it stands, we are indefinitely freezing all development on the platform until we decide the next steps following this breach; and following the outcome of the report to the ICO.
Timeline of Events
At 1651, we used our new batch mailing software to send out a notification that Happy Holidays was live for registration.
At 1700, we were made aware that this had inadvertently exposed user email addresses to other users on the platform.
At 1728, we completed a report to the ICO (https://ico.org.uk/) to report this breach to them; and took the step to freeze all development.
At 1736, we realised we sent the emails in chunks of 750; which limits exposure.
If you are worried about your data, you can take the following steps to remove your account from the platform:
Navigate to the My Account page.
Click Security.
Click Delete Account. We will be prioritising deletion requests as a matter of urgency in the next 10 days.