Someone at BrowserStack is leaking users' email addresses

Original Article ↗ Hacker News Discussion ↗

Causes of the BrowserStack Email Leak

  • Several hypotheses:
    • Classic data compromise of BrowserStack’s database or email list.
    • Intentional sharing/selling of customer data to third parties or data brokers.
    • Use of a sales-enrichment tool (Apollo) that then redistributed the address.
    • Accidental upload of customer lists to a CRM/enrichment platform by sales staff.
  • Some argue intentional data sharing is more common than breaches; others strongly disagree and say most leaks they see trace back to breaches or careless integrations, not direct selling.

Apollo and the Enrichment Ecosystem

  • Multiple comments explain that modern B2B tools (Apollo, ZoomInfo, etc.):
    • “Enrich” leads by aggregating business contact data from many customers.
    • May scrape inboxes or CRMs in exchange for credits.
    • Redistribute contributed contact info to all customers by default, often opt‑out.
  • Several point out this is likely what happened: BrowserStack fed user data into Apollo, which then exposed it to another Apollo customer.

Legality, GDPR, and Responsibility

  • Discussion of GDPR’s “legitimate interests” vs “consent”:
    • Storing customer data in a CRM might be covered.
    • Pushing support or incidental contacts into a global enrichment network likely is not.
  • Some call for large fines; others argue this is “just” unwanted sales contact, not a classic breach.
  • Shared blame suggested: BrowserStack for over-sharing, Apollo for making it too easy and not validating legal bases.

Do Companies Actually Sell Email Lists?

  • Conflicting claims:
    • Some insist companies routinely sell lists or hand everything to brokers.
    • Others say email lists have little enterprise value and that direct list‑selling is rarer than people think.
    • There are anecdotes of bosses buying lists and of specific organizations clearly leaking addresses.

Email Aliasing and Canary Techniques

  • Many describe giving every service a unique address (custom domains, plus‑aliases, relay/masking services).
  • Benefits:
    • Identifying leakers and data brokers.
    • Simple filtering and spam triage.
  • Drawbacks:
    • Some services block or normalize aliases.
    • Catch‑all domains can attract mass spam.
  • Compared to “canary traps”: each alias acts as a leak detector.

Broader Sentiment

  • Strong frustration with opaque data‑sharing, enrichment norms, and opt‑out models.
  • Concern that current practices erode trust and that regulation lags behind the enrichment industry.