Ghostery Email Incident Update

May 26, 2018By Ghostery Team

Dear Ghostery Users,

We are very sorry! Ghostery sent out an email yesterday that resulted in the exposure of account holders’ email addresses to other Ghostery account holders and Ghostery users. We would like to provide some clarification and transparency regarding our GDPR email that unintentionally revealed the email addresses of some of our user accounts.

Summary

  • Ghostery sent out an email on May 25, 2018 that unintentionally resulted in the exposure of some account holders’ email addresses.
  • Only email addresses were exposed.
  • You are not affected if you use Ghostery but did not provide an email address to us.
  • You are not affected if you did not receive the GDPR email from Ghostery.
  • As soon as we found out, we stopped using the email distribution tool.
  • Ghostery is currently working to rectify the incident and we will keep our users updated.

What exactly happened?

Recently, we decided to stop using a third-party email automation platform. In an effort to be more secure, we wanted to manage user account emails in our own system, so we could fully monitor and control data practices surrounding them. Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the “To” field. We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again.

Only email addresses and the fact that you are on our mailing list were inadvertently disclosed.

How do I know if I was affected?

Once we realized what happened, we immediately stopped sending out additional emails, and stopped the process for all future emails. Luckily, it did not affect all account holders. You were only affected if you are an account holder and received our GDPR email on Friday, May 25, 2018.

If you are a Ghostery user without an account, you were not affected.

What will Ghostery do now?

We take our privacy and security practices very seriously; after all, they are both part of the value statement for our own products. This incident was a clear mistake, and we deeply apologize to our users and anyone else affected.

We will be reporting the incident as mandated by the GDPR.

We have already terminated the email distribution and already determined what went wrong. It was a simple human mistake.

Furthermore, while this was an error with update emails that all account holders will continue to receive (e.g., when we’re legally required), we are providing clear instructions on how to opt out of future Ghostery product and marketing emails or delete an account for those who wish to do so, as well as permanently expunging any user data upon request. If you prefer to not receive these updates you may delete your account.

How can I opt out of Ghostery emails or delete my account entirely?

While we would be sorry to see you go, we understand user concerns that may arise in the wake of this incident. If you would like to opt out of our mailing list:

  1. Go to https://account.ghostery.com/
  2. Sign in to your account
  3. Uncheck the box under Email Preferences (“Yes, I would like to stay up-to-date on Ghostery enhancements”)

If you would like to delete your account entirely and permanently:

  1. Go to https://account.ghostery.com/
  2. Sign in to your account
  3. At the bottom of the page, hit “Cancel Account”

You can also access your account page from within the extension by going into Settings, choosing “Account,” and choosing “Edit Account.”

We will continue to provide updates on our website and social platforms.

As a team dedicated wholeheartedly to the enhancement of the privacy of the user, we are contrite about this incident.

We hope you accept our sincere apology.

Ghostery Team