Home 零对冲(ZeroHedge)每日HackerNews

浏览器Stack有用户邮箱地址泄露。
Someone at BrowserStack is leaking users' email addresses

原始链接: https://shkspr.mobi/blog/2026/04/someone-at-browserstack-is-leaking-users-email-address/

该用户为每个服务使用不同的电子邮件地址,以追踪数据泄露并防范安全漏洞。最近,一封邮件出现在一个专门用于 BrowserStack 的邮箱中,发件人通过 Apollo.io 获取了该地址。 Apollo 最初声称该地址是从公开信息中通过算法推导出来的——该用户对此提出了合理的质疑。他们后来承认 BrowserStack 通过他们的“客户贡献者网络”提供了数据,并将收集日期定在未来(2026-02-25!)。 BrowserStack 对此数据共享的询问一直没有回应。该用户怀疑 BrowserStack 要么出售用户数据,要么其第三方服务存在漏洞,要么遭受内部数据泄露。这一事件凸显了个人信息普遍且往往不透明的交易,该用户暗示将进一步披露 Apollo 如何从另一家大型公司获取其电话号码。

相关文章
原文

Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few emails back-and-forth with their support team and finally got set up.

A couple of days later I received an email to that email address from someone other than BrowserStack. After a brief discussion, the emailer told me they got my details from Apollo.io.

Naturally, I reached out to Apollo to ask them where they got my details from.

They replied:

Your email address was derived using our proprietary algorithm that leverages publicly accessible information combined with typical corporate email structures (e.g., [email protected]).

Wow! A proprietary algorithm, eh? I wonder how much AI it takes to work out "firstname.lastname"????

Obviously, their response was inaccurate. There's no way their magical if-else statement could have derived the specific email I'd used with BrowserStack. I called them out on their bullshit and they replied with:

Your email address came from BrowserStack (browserstack.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

The date of collection is 2026-02-25.

So I emailed BrowserStack a simple "Hey guys, what the fuck?"

Web contact form. It says "No spam, we promise."

I love their cheery little "No spam, we promise!"

Despite multiple attempts to contact them, BrowserStack never replied.

Given that this email address was only used with one company, I think there are a few likely possibilities for how Apollo got it.

  • BrowserStack routinely sell or give away their users' data.
  • A third-party service used by BrowserStack siphons off information to send to others.
  • An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.

There are other, more nefarious, explanations - but I consider that to be unlikely. I suspect it is just the normalisation of the shabby trade in personal information undertaken by entities with no respect for privacy.

But, it turns out, it gets worse. My next blog post reveals how Apollo got my phone number from from a very big company.

Be seeing you 👌

联系我们 contact @ memedata.com