Sendgrid blurts out OWN customers' email addresses with no help from hackers
Along came some spiders and saw the unsubscribers...
Cloud-based email marketing service SendGrid has copped to blabbing customer email addresses, chalking it up to some overenthusiastic indexing without explaining why pages were public-facing in the first place.
In a breach notice sent out on Tuesday 2 October, SendGrid said that "some email addresses processed through the Group Unsubscribe feature of the SendGrid platform over the last nine months may have been exposed through major search engines".
Oddly, the whole message is about crawling mitigation, and not about why that information was made available to crawlers in the first place.
The leak, which SendGrid said it detected on Friday 28 September, was ascribed to a network misconfiguration, rather than any glam hacker action or a specific software vulnerability. The message made no mention of SendGrid fixing the fact it had made the data publicly available in the first place, rather than putting it behind a log-in page, for example.
The cloud marketing firm said:
On December 11, 2017, we introduced new load balancing infrastructure to manage capacity across our platform. The pages that utilized this infrastructure did not include specific instructions within their page headers to inform search engines not to index (or "crawl") links within the Unsubscribe Groups feature.
As a result, these links contained the email address of the recipient wishing to unsubscribe and the name of the SendGrid customer from whom they had unsubscribed.
The slip-up meant that email addresses could have been harvested through careful probing of Google and the like. The leak was limited to SendGrid customers that used the Unsubscribe Groups feature, and the recipients of emails from that subset of users – seemingly a small group. However, the firm said it was "unable to pinpoint the exact email addresses and SendGrid customer names which may have been made available to search engines during the period from December 11, 2017 to August 17, 2018".
No other personal or financial data was exposed, according to SendGrid.
The firm added that it had updated its "headers to prevent any future search engine crawling of the Unsubscribe Groups feature". It said it had been in touch with Google, Bing et al to purge that data and that it was "actively working on multiple projects to ensure we prevent future search engine crawling".
The Reg asked Sendgrid yesterday why it hadn't focused on making sure nobody could access the pages without proper credentials, instead of just asking crawlers to please not show the information in their search results. We'll update when it responds.
Three years ago SendGrid admitted that a much wider set of information – usernames, email addresses, and (salted and iteratively hashed) passwords for SendGrid customer and employee accounts – had been exposed after hackers stole login details to a SendGrid worker's account. ®