Friday, April 20, 2007
Spock exposing user e-mail addresses
... and sending them to total strangers.
Spock, the new people search engine that has been getting some attention recently, sent me a private beta invite this afternoon.
After unsuccessfully trying to use the link they sent me, I noticed something interesting. They are actually putting the user's e-mail address into the activation link. Not a smart move.
To make matters worse (not for me, though) is that they encoded someone else's e-mail address in the link. So not only do I have a bad experience and can't log in, someone by the name of C******** Y*** has just had her e-mail address sent to a complete stranger via Spock.
Beta service or not, that is just poor privacy and data protection. I'm kind of sorry that I gave them my e-mail address now. Who knows who got my invite. Maybe I could ask C********.
[UPDATE: 4:53PM] Spock responded to my e-mail (and this blog post) with the following:
"I just saw your blog post on Spock’s exposing people’s email addresses. We actually had a technical issue with a small batch of emails that we sent out that we are resolving.
We apologize for the mess up – and have not sent out any further links. Also, we have not sent out any emails except with C********’s encrypted email and we are working to resolve the situation. In order to protect the privacy of the person whose email got sent out via encrypted link, we’d like to ask you to take down her name and replace it with an alias if possible in order to reduce the damage done."
... and sending them to total strangers.
Spock, the new people search engine that has been getting some attention recently, sent me a private beta invite this afternoon.
After unsuccessfully trying to use the link they sent me, I noticed something interesting. They are actually putting the user's e-mail address into the activation link. Not a smart move.
To make matters worse (not for me, though) is that they encoded someone else's e-mail address in the link. So not only do I have a bad experience and can't log in, someone by the name of C******** Y*** has just had her e-mail address sent to a complete stranger via Spock.
Beta service or not, that is just poor privacy and data protection. I'm kind of sorry that I gave them my e-mail address now. Who knows who got my invite. Maybe I could ask C********.
[UPDATE: 4:53PM] Spock responded to my e-mail (and this blog post) with the following:
"I just saw your blog post on Spock’s exposing people’s email addresses. We actually had a technical issue with a small batch of emails that we sent out that we are resolving.
We apologize for the mess up – and have not sent out any further links. Also, we have not sent out any emails except with C********’s encrypted email and we are working to resolve the situation. In order to protect the privacy of the person whose email got sent out via encrypted link, we’d like to ask you to take down her name and replace it with an alias if possible in order to reduce the damage done."
¶ 3:30 PM 
Comments:
Thanks for providing an update. I still question the practice of putting any e-mail address in a URL.
posted by 
sMoRTy71 : 4:57 PM
sMoRTy71 : 4:57 PM Hi - thanks for the feedback and bringing this to our attention. We are going to re-create our invite links so that they do not include any type of e-mail or identifing information. This should have not been an issue if every link went to the right e-mail account. But as our server hic-up showed, it was.
Jay
Jay
posted by 
: 10:25 PM
: 10:25 PMblog comments powered by Disqus
About Shawn Morton
Married father of 4, social media specialist, consumer electronics enthusiast, hair metal aficionado.
View complete bio.
View complete bio.
Recent Blog Posts 
My DS Lite is on its way home Screwed by GHII patch [UPDATE] Glitch with GHII and MCE on XBOX 360 Guitar Hero II controls me I'm lovin' Windows Home Server twitter has taken over Gonna install TVersity this weekend Sorry, David Pogue TechRepublic has reprinted my tip... I think Ted Murphy has a point [edited]Blog Archive
June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008
We apologize about that last batch. As soon as it was caught, it was corrected. It was an error in one of our databases where the same link got sent to several people (with you being one of them).
We do not publish email address, spam email addresses, or in any way attempt to contact you (unless you specificly sign-up for an update from spock, or request a one time transaction like password reset).