Someone at BrowserStack is leaking users' email addresses

Who Should Read

Developers operating SaaS services and integrating external CRM or marketing tools, or developers interested in privacy. Specifically, teams using BrowserStack or adopting sales automation platforms like Apollo.io.

Core Mechanics

• The author uses a method of generating unique email addresses for each service, allowing them to track which service leaked their email. They received spam to a unique email used only with BrowserStack.
• When asking the spammer for the source, they were told it came from Apollo.io. After contacting Apollo.io, they initially lied, claiming the email was derived from a combination of publicly available information and corporate email patterns (firstname.lastname@domain).
• However, the email address was in a completely unique format that could not be inferred algorithmically. After being challenged by the author, Apollo.io eventually admitted that BrowserStack shared the contact information through its 'customer contributor network' on February 25, 2026.
• Apollo.io's 'customer contributor network' operates by companies using Apollo sharing their customer contact data on the Apollo platform. This feature is enabled by default and must be explicitly opted-out to disable.
• The author attempted to contact BrowserStack multiple times but received no response. They ironically noted that the email contained the phrase 'No spam, we promise!'
• Three possible causes for the leak were identified: BrowserStack regularly sells or provides user data, a third-party service used by BrowserStack collects and leaks the data, or BrowserStack internal employees or contractors steal the data.
• From a GDPR perspective, even if Apollo claims GDPR compliance, BrowserStack would need a valid legal basis to share customer emails from its support database with Apollo, which it likely lacks. Both BrowserStack and Apollo are potentially in violation.

Evidence

• A commenter familiar with Apollo.io's operation pointed out that 'this isn't a data hack, it's how Apollo originally works.' They explained that if Apollo customers don't opt-out, their customer contact data is automatically shared on the Apollo network. (See https://knowledge.apollo.io/hc/en-us/articles/20727684184589)
• There was also an opinion that the BrowserStack sales team likely used Apollo for CRM purposes without realizing the privacy implications and uploaded the entire customer list. It's common for general sales representatives to proceed without understanding the consequences of such data sharing.
• A comment from a GDPR expert analyzed that Apollo's claim of 'Legitimate Interests' as a legal basis is not applicable to sharing emails from BrowserStack's support database with Apollo. They pointed out that both BrowserStack and Apollo should report GDPR violations and take preventative measures.
• A comment stated that the '+tag' style email alias (e.g., name+browserstack@gmail.com) is no longer effective because many services already perform de-aliasing to extract the actual email. Creating a completely separate inbox with a unique email is more effective for tracking.
• A comment mentioned that BrightData (headless browser service) recently had a similar data leak incident. The commenter discovered that URLs accessed only through their headless browser fingerprinting project were later crawled by Anthropic's ClaudeBot, suggesting that attackers may be using Claude to analyze stolen customer data.
• Shared experiences indicated that Seamless.io operates in a similar manner. A commenter discovered a very personal email address in the Seamless.io system and suspected a colleague of leaking the address book, but didn't know how to prevent it.
• A case study from UK's Compare The Market shared a similar situation. Two unique emails using different domains started receiving spam simultaneously on the same day, but no action was taken after reporting it, citing 'cannot be proven.'

How to Apply

• If you are using BrowserStack and also using sales platforms like Apollo.io, immediately check and disable the 'customer contributor network' data sharing opt-out in Apollo settings. Data sharing is enabled by default, so you must explicitly opt-out to prevent customer contacts from being automatically shared on the Apollo network.
• Teams planning to adopt external CRM or sales automation tools (Apollo, Seamless.io, etc.) must review the platform's data sharing policies and opt-out structure before contracting. Specifically, check the terms and conditions regarding how customer contacts uploaded to the platform are shared on the platform network.
• If you want to track leaks on a personal level using unique emails per service, using completely separate email aliases (e.g., SimpleLogin, Fastmail aliases) is more effective than the '+tag' method (name+site@gmail.com). Many services automatically remove '+tags' to extract the actual email.
• If you operate a service subject to EU GDPR, sharing email addresses from your customer support database with external marketing/sales platforms is not justified by 'Legitimate Interests' and may violate GDPR. You must clarify the processing basis with your legal team before sharing data.

Terminology

Related Resources

• https://shkspr.mobi/blog/2026/04/someone-at-browserstack-is-leaking-users-email-address/
• https://knowledge.apollo.io/hc/en-us/articles/20727684184589
• https://knowledge.apollo.io/hc/en-us/articles/4409141087757
• https://en.wikipedia.org/wiki/Canary_trap