• by Ray Schultz , May 29, 2018

Ghostery, the web browser extension that promises to “protect your data,” sent a GDPR compliance email on Friday that exposed the email addresses of recipients, putting it in potential conflict with GDPR. 

 “Happy GDPR Day,” the email started. Attached to each message were 500 email addresses.  

The company blames a new email distirbution tool, and says it has stopped using the tool. But the public relations damage has been done.

“Hey @Ghostery,” said one customer tweet. “You sent your privacy policy update email without blind CCing the contacts. Now I'm on an email chain with a whole bunch of randoms replying to your no-reply email address.”

On Saturday, Ghostery tweeted: "Due to a technical issue, Ghostery sent out an email that resulted in the exposure of some Ghostery users’ email addresses. We sincerely apologize."

That tweet linked to a more detailed post on the episode.   

Ghostery states in the post that “due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the ‘To’ field.”

The post did not specify how many email addresses were affected, but media reports put it in the hundreds. According to Bleeping Computer, the emails were sent to batches of 500 users, with every user able to see the other users’ email addresses.

The company maintains that only email addresses were exposed, and that users who have not provided an email address were not affected. It also says that the mistake affected only people who received the GDPR email.

It also offers instructions to users who want to opt out or delete their account, and says it will “permanently expunge any user data upon request.”

Ghostery says it has seven million active monthly users.