Everyone in this thread suggesting a “data leak” or “compromise” is totally missing the fact that this is how Apollo works. This is often times overlooked by Apollo customers themselves. You have to opt out of customer data sharing (and in doing so lose out on the value of the product): https://knowledge.apollo.io/hc/en-us/articles/20727684184589...
Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
For a little more color for people unfamiliar with modern sales/marketing:
1. A user signs up to BrowserStack
2. BrowserStack (automatically) upload the submitted user’s information to Apollo
3. Apollo “enrich” the user’s details using information they already have about the person, e.g: company revenue, LinkedIn profile
4. Sales reps at BrowserStack use the enriched information to identify leads, bucket for marketing etc.
Apollo’s customer data sharing adds any information BrowserStack send to Apollo to the person’s profile with Apollo, accessible to all Apollo customers.
For example, any other Apollo customer can search something like “email addresses for decision makers at Example, Inc.” and get back a list including your email address (if you told BrowserStack you are a decision maker at Example, Inc.)
Every single marketing team is doing all of this, the only reason it was obvious in this case is that the OP used a unique email address for BrowserStack. If you sign up for any business product online, you surely have a profile in Apollo filled with details about you gathered from around the web (and details you submitted).
So I'm not disputing this, but I set up a similar scheme to the author almost 8 years ago and conduct 90+% of my online business through the custom emails. Everything from Amazon to small local business.
In that time I have had 'leaks' twice: my State's Fish and Wildlife licensing organ, and GitHub. In both cases I assume it's more that the email ends up being public, not because of something like Apollo.
I guess it's possible that spam is getting filtered before it ever hits my inbox.
Edit: I was responding to the idea of it leading to spam, not that Apollo wasn't collecting information on me.
For those curious: I signed up with Apollo and looked at what they had on me (via the link in the flagged/dead post by fontain). The email address they have is technically correct, but it's a non-current work email. It's still active and I do get a lot of senseless/bizarre business sales inquiries on that address. The phone number they have is wrong and I don't recognize it. They have my LinkedIn byline; it's likely how I was 'found' so quickly, as my username is the same there. I'm listed as cold.
I used to do the same until I got tired of it. The only two leaks I found were United Airlines and Gary Johnson, the Libertarian presidential candidate, who sold my email to the Scott Walker campaign (strongly confirming my suspicions that Republicans use libertarianism as a gateway drug).
Maybe you'd have insight into something that happened to me recently:
I did a search (DDG, Chromium) for an Anker product line that I've been following. Clicked the link to Anker, skimmed, nothing new.
Then shortly I get an email from "Checkmate" with a promo offer.
I don't have an Anker account or whatever, don't recall signing in. I figure it's fingerprinting or cookies, but so far it's never been so overt.
I feel like this is an indicator of something, some sea change. Of needing to squeeze more water from the stone. My phone's been blowing up with spam calls since. I've been mysteriously added to email lists. I'm getting short-code text spam in addition to the regular spam, which when I report to 7726, AT&T basically tells me it's fine, it's paid for.
This may be a ploy to get me to turn the AI features back on in Gmail, but it feels like somewhere, lines have been crossed.
> This may be a ploy to get me to turn the AI features back on in Gmail, but it feels like somewhere, lines have been crossed
Lines have absolutely been crossed and there is no going back without a lot of political will
There are no rules anymore. The internet started it, and AI companies proved it. We're much worse of for it. The social contract is extremely flimsy nowadays
I had never heard of Apollo, but I was interested so I followed your link to opt out.
I have had the same work email address for 13 years. I have done lots of hardware and software purchasing in that time, and I am never shy of using my work email to sign up for things and give to account managers etc. It is used on my microsoft SSO, my Dell business account, my slack account etc etc.
After I jumped through all their hoops to opt out, I got this email from them:
"We searched our records with your email: xxx@xxxxxx but could not find any information associated to it in our databases. We will keep your email: xxx@xxxxxx in our suppression list in order not to create any data associated with your email. "
So I guess they might not be as ubiquitous in their data capture as you may have thought? Or they are straight up lying.
Another way these companies get data is they have credits. It costs a credit for a salesperson to enrich the data of someone they're trying to contact. There are 2 ways to gain credits: 1 - cash; 2 - the salesperson installs a plugin in their inbox and it scrapes all contact info in the inbox.
ZoomInfo is the most aggressive about this.
re apollo: inbox scraping is what they're describing here [1]
> Apollo does leverage its large network of over 2 million contributors to improve the scope and accuracy of its database of business contact information and run verification checks that result in a better user experience for its entire customer base. Most of the data we collect from our Apollo users simply forms part of our verification system to check and confirm existing information in the Apollo database.
>After a brief discussion, the emailer told me they got my details from Apollo.io
The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.
I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "+@" is not considered a unique email from "@". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
I remember the first and only time I used browser stack, almost 10 years ago. I found myself logged into the Google account of somebody else. I could freely access their email, drive files, everything.
I had reported this to them, and they quickly dismissed it as impossible. The dismissal itself was enough proof for me of horrific practices.
The canary email trick is clever and the OP's frustration is valid. But the most likely explanation is their data passed through a CRM into an enrichment platform like Apollo, which then made it available to other customers. That's not a breach, i think it's just how these tools are designed to work. Which might be worse because it's happening at scale across thousands of companies.
The response could've been better though. When a customer raises something like this you trace the data flow and explain what happened.
But the real conversation should be about the enrichment industry itself. Opt-out instead of opt-in became the default and nobody questioned it. That's where regulation needs to catch up, hence singling out individual companies won't fix anything structural
> Consent must be "freely given, specific, informed, and unambiguous."
and
> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.
In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!
So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).
Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.
BrightData is another company offering hosted browsers who has also recently leaked private data, although they did email customers to warn them.
I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?
I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.
I think most likely an attacker who has the customer data is using Claude to analyse it.
I had the same thing happen with Compare The Market in the UK. I used two unique email addresses with them on two different domains and the same day both started receiving spam. I reported it to them and they don't care, because how do you prove it?
Many years ago a substantially sized OSS groups' forum software (maybe KDE or Qt? it was a long time ago) was accidentally including user email addresses in the non-user-visible html tags of forum pages.
Web scanners though aren't people, and easily noticed them, thus building up a database of email addresses to spam people.
It was discovered when a friend mentioned that one of their uniquely generated email addresses was being used by spammers. Similar to this post.
So, we got in contact with the forum people to let them know, and they tracked down + fixed the problem.
Perhaps a similar thing is happening to the article author, rather than purposely malicious behaviour?
Guys at seamless io do the same thing. I found a very personal email address on the system. I figured someone at work was leaking their address book to seamless.
Few things to note here are that what actually reached the OP was a cold sales email, not someone who had their password or payment info. The data that moved was business contact info going through a sales pipeline. Annoying? Absolutely. But the comments in here talking about GDPR fines and comparing this to actual data breaches feel like a massive escalation from what actually happened. I've seen real breaches in this industry. This isn't one. This is probably some SDR from sales team or the prospecting tool which is Apollo being sloppy in this case with their processes and not thinking through what happens to the data they're working with.
104 comments
Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.
1. A user signs up to BrowserStack
2. BrowserStack (automatically) upload the submitted user’s information to Apollo
3. Apollo “enrich” the user’s details using information they already have about the person, e.g: company revenue, LinkedIn profile
4. Sales reps at BrowserStack use the enriched information to identify leads, bucket for marketing etc.
Apollo’s customer data sharing adds any information BrowserStack send to Apollo to the person’s profile with Apollo, accessible to all Apollo customers.
For example, any other Apollo customer can search something like “email addresses for decision makers at Example, Inc.” and get back a list including your email address (if you told BrowserStack you are a decision maker at Example, Inc.)
Every single marketing team is doing all of this, the only reason it was obvious in this case is that the OP used a unique email address for BrowserStack. If you sign up for any business product online, you surely have a profile in Apollo filled with details about you gathered from around the web (and details you submitted).
edit: https://www.apollo.io/privacy-policy/remove opt out link but Apollo are just one of many companies offering this service
In that time I have had 'leaks' twice: my State's Fish and Wildlife licensing organ, and GitHub. In both cases I assume it's more that the email ends up being public, not because of something like Apollo.
I guess it's possible that spam is getting filtered before it ever hits my inbox.
Edit: I was responding to the idea of it leading to spam, not that Apollo wasn't collecting information on me.
For those curious: I signed up with Apollo and looked at what they had on me (via the link in the flagged/dead post by fontain). The email address they have is technically correct, but it's a non-current work email. It's still active and I do get a lot of senseless/bizarre business sales inquiries on that address. The phone number they have is wrong and I don't recognize it. They have my LinkedIn byline; it's likely how I was 'found' so quickly, as my username is the same there. I'm listed as cold.
I did a search (DDG, Chromium) for an Anker product line that I've been following. Clicked the link to Anker, skimmed, nothing new.
Then shortly I get an email from "Checkmate" with a promo offer.
I don't have an Anker account or whatever, don't recall signing in. I figure it's fingerprinting or cookies, but so far it's never been so overt.
I feel like this is an indicator of something, some sea change. Of needing to squeeze more water from the stone. My phone's been blowing up with spam calls since. I've been mysteriously added to email lists. I'm getting short-code text spam in addition to the regular spam, which when I report to 7726, AT&T basically tells me it's fine, it's paid for.
This may be a ploy to get me to turn the AI features back on in Gmail, but it feels like somewhere, lines have been crossed.
> This may be a ploy to get me to turn the AI features back on in Gmail, but it feels like somewhere, lines have been crossed
Lines have absolutely been crossed and there is no going back without a lot of political will
There are no rules anymore. The internet started it, and AI companies proved it. We're much worse of for it. The social contract is extremely flimsy nowadays
I have had the same work email address for 13 years. I have done lots of hardware and software purchasing in that time, and I am never shy of using my work email to sign up for things and give to account managers etc. It is used on my microsoft SSO, my Dell business account, my slack account etc etc.
After I jumped through all their hoops to opt out, I got this email from them:
"We searched our records with your email: xxx@xxxxxx but could not find any information associated to it in our databases. We will keep your email: xxx@xxxxxx in our suppression list in order not to create any data associated with your email. "
So I guess they might not be as ubiquitous in their data capture as you may have thought? Or they are straight up lying.
5. BrowserStack gets hit by a massive GDPR fine.
7. People just remember 'BrowserStack got hit by a massive fine'
8. Everyone carries on with business as usual
ZoomInfo is the most aggressive about this.
re apollo: inbox scraping is what they're describing here [1]
> Apollo does leverage its large network of over 2 million contributors to improve the scope and accuracy of its database of business contact information and run verification checks that result in a better user experience for its entire customer base. Most of the data we collect from our Apollo users simply forms part of our verification system to check and confirm existing information in the Apollo database.
[1] https://knowledge.apollo.io/hc/en-us/articles/20727684184589...
>After a brief discussion, the emailer told me they got my details from Apollo.io
The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.
> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.
I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "+@" is not considered a unique email from "@". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.
> BrowserStack routinely sell or give away their users' data.
> A third-party service used by BrowserStack siphons off information to send to others.
> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.
Or the simpler answer, their db/email list has been compromised.
https://en.wikipedia.org/wiki/Canary_trap
> Consent must be "freely given, specific, informed, and unambiguous."
and
> Apollo notifies them when their data is added to Apollo's database of business contact information and provides them with instructions on how to opt out.
https://knowledge.apollo.io/hc/en-us/articles/4409141087757-...
Now, their claim appears to be that they're processing business contact data under the legal basis of "Legitimate Interests". But as much as I am a big fan of not doing things that require a legal basis of "Consent", I'm unconvinced that they ensure their customers are sticking as tightly to their basis as they ought to be if they wish to claim it.
In other words: yes, if you have a CRM in then you might derive legitimate interests in sharing with Apollo. But you need to make sure you actually have the right legal basis for putting customer details into your CRM, and your support database almost certainly does not hold appropriate data!
So ultimately I think this is on both Browserstack (for connecting and sharing data other than in accordance with a legal basis) and Apollo (for making it too easy for their customers to send them data without a sound legal basis and then for sharing that data without suitably validating they had the legal basis to).
Apollo's privacy centre makes all the right claims about how they comply with GDPR, but the OP's story demonstrates that they're not as scrupulous in their verification as they claim to be. And strictly, both should be reporting the breach and taking steps to ensure it doesn't recur.
I wonder if both of these companies were compromised by a shared vulnerability in headless Chrome? Or else just a coincidence that 2 headless browser companies got hacked at the same time?
I run a headless browser fingerprinting project and have found that URLs that I only fetched via BrightData have subsequently had fetches by Anthropic's Claudebot.
I think most likely an attacker who has the customer data is using Claude to analyse it.
Caught quite a few leakers that way, by using specific addresses for specific sites or categories of sites
(Last time I tried, Gmail's aliases were useless; they included your real address in the alias!)
Web scanners though aren't people, and easily noticed them, thus building up a database of email addresses to spam people.
It was discovered when a friend mentioned that one of their uniquely generated email addresses was being used by spammers. Similar to this post.
So, we got in contact with the forum people to let them know, and they tracked down + fixed the problem.
Perhaps a similar thing is happening to the article author, rather than purposely malicious behaviour?
I don’t know how to stop it