Someone at BrowserStack is leaking users' email addresses
TL;DR Highlight
A developer using unique emails per service discovered that an email used only with BrowserStack was passed to a third party via Apollo.io, and BrowserStack has not responded.
Who Should Read
Developers operating SaaS services and integrating external CRM or marketing tools, or developers interested in privacy. Specifically, teams using BrowserStack or adopting sales automation platforms like Apollo.io.
Core Mechanics
- The author uses a method of generating unique email addresses for each service, allowing them to track which service leaked their email. They received spam to a unique email used only with BrowserStack.
- When asking the spammer for the source, they were told it came from Apollo.io. After contacting Apollo.io, they initially lied, claiming the email was derived from a combination of publicly available information and corporate email patterns (firstname.lastname@domain).
- However, the email address was in a completely unique format that could not be inferred algorithmically. After being challenged by the author, Apollo.io eventually admitted that BrowserStack shared the contact information through its 'customer contributor network' on February 25, 2026.
- Apollo.io's 'customer contributor network' operates by companies using Apollo sharing their customer contact data on the Apollo platform. This feature is enabled by default and must be explicitly opted-out to disable.
- The author attempted to contact BrowserStack multiple times but received no response. They ironically noted that the email contained the phrase 'No spam, we promise!'
- Three possible causes for the leak were identified: BrowserStack regularly sells or provides user data, a third-party service used by BrowserStack collects and leaks the data, or BrowserStack internal employees or contractors steal the data.
- From a GDPR perspective, even if Apollo claims GDPR compliance, BrowserStack would need a valid legal basis to share customer emails from its support database with Apollo, which it likely lacks. Both BrowserStack and Apollo are potentially in violation.
Evidence
- A commenter familiar with Apollo.io's operation pointed out that 'this isn't a data hack, it's how Apollo originally works.' They explained that if Apollo customers don't opt-out, their customer contact data is automatically shared on the Apollo network. (See https://knowledge.apollo.io/hc/en-us/articles/20727684184589)
- There was also an opinion that the BrowserStack sales team likely used Apollo for CRM purposes without realizing the privacy implications and uploaded the entire customer list. It's common for general sales representatives to proceed without understanding the consequences of such data sharing.
- A comment from a GDPR expert analyzed that Apollo's claim of 'Legitimate Interests' as a legal basis is not applicable to sharing emails from BrowserStack's support database with Apollo. They pointed out that both BrowserStack and Apollo should report GDPR violations and take preventative measures.
- A comment stated that the '+tag' style email alias (e.g., name+browserstack@gmail.com) is no longer effective because many services already perform de-aliasing to extract the actual email. Creating a completely separate inbox with a unique email is more effective for tracking.
- A comment mentioned that BrightData (headless browser service) recently had a similar data leak incident. The commenter discovered that URLs accessed only through their headless browser fingerprinting project were later crawled by Anthropic's ClaudeBot, suggesting that attackers may be using Claude to analyze stolen customer data.
- Shared experiences indicated that Seamless.io operates in a similar manner. A commenter discovered a very personal email address in the Seamless.io system and suspected a colleague of leaking the address book, but didn't know how to prevent it.
- A case study from UK's Compare The Market shared a similar situation. Two unique emails using different domains started receiving spam simultaneously on the same day, but no action was taken after reporting it, citing 'cannot be proven.'
How to Apply
- If you are using BrowserStack and also using sales platforms like Apollo.io, immediately check and disable the 'customer contributor network' data sharing opt-out in Apollo settings. Data sharing is enabled by default, so you must explicitly opt-out to prevent customer contacts from being automatically shared on the Apollo network.
- Teams planning to adopt external CRM or sales automation tools (Apollo, Seamless.io, etc.) must review the platform's data sharing policies and opt-out structure before contracting. Specifically, check the terms and conditions regarding how customer contacts uploaded to the platform are shared on the platform network.
- If you want to track leaks on a personal level using unique emails per service, using completely separate email aliases (e.g., SimpleLogin, Fastmail aliases) is more effective than the '+tag' method (name+site@gmail.com). Many services automatically remove '+tags' to extract the actual email.
- If you operate a service subject to EU GDPR, sharing email addresses from your customer support database with external marketing/sales platforms is not justified by 'Legitimate Interests' and may violate GDPR. You must clarify the processing basis with your legal team before sharing data.
Terminology
Apollo.ioAn 'AI sales platform' that helps companies find and manage sales prospects. A key feature is a network structure where customers share their contact data with each other.
customer contributor networkA data sharing method used by Apollo.io. Companies using Apollo provide their customer contacts to Apollo, which then adds them to a database searchable by other customers.
canary trapA technique of providing slightly different information to each target to identify the source. In this case, it was used by using unique emails for each service to track which one leaked the information.
opt-outA method where a feature is enabled by default and users must explicitly decline to disable it. The opposite is opt-in, where explicit consent is required to activate it.
Legitimate InterestsOne of the legal bases for processing personal data under GDPR. It claims that data can be processed without consent if the company has a 'legitimate interest,' but it is often misused.
de-aliasThe process of tracing or removing an email alias back to the original email address. For example, removing '+site' from name+site@gmail.com to extract name@gmail.com.
Related Papers
Formal Methods Meet LLMs: Auditing, Monitoring, and Intervention for Compliance of Advanced AI Systems
LLM이 규칙을 잘 지키고 있는지 감시하려면 LLM에게 맡기지 말고 LTL(시간 논리 공식) 기반 모니터를 쓰세요.
Bun Rust rewrite: "codebase fails basic miri checks, allows for UB in safe rust"
Anthropic이 인수한 Bun 런타임이 Zig 코드베이스를 AI로 Rust에 재작성했는데, 가장 기본적인 메모리 안전성 검사(miri)조차 통과하지 못하는 UB(Undefined Behavior)가 발견됐다는 이슈가 제기됐다.
MetaBackdoor: Exploiting Positional Encoding as a Backdoor Attack Surface in LLMs
입력 텍스트는 멀쩡한데 입력 길이만으로 LLM 백도어가 발동되는 새로운 공격 기법 발견.
Tell HN: Dont use Claude Design, lost access to my projects after unsubscribing
Claude Design 구독을 해지했더니 기존 프로젝트에 접근이 완전히 차단됐다는 사용자 경고로, AI 도구에 중요한 작업물을 의존할 때의 리스크를 잘 보여주는 사례다.
History Anchors: How Prior Behavior Steers LLM Decisions Toward Unsafe Actions
시스템 프롬프트에 '이전 전략과 일관되게 행동하라' 한 문장만 추가하면, 최고 성능 LLM들이 안전한 선택을 0%에서 90%+ 위험한 선택으로 뒤집힌다.
Formalize, Don't Optimize: The Heuristic Trap in LLM-Generated Combinatorial Solvers
LLM에게 조합 최적화 문제의 solver를 만들게 할 때, 'Python + OR-Tools'가 가장 정확하고 '효율 최적화' 프롬프트는 오히려 정확도를 망친다.