back to article Glassdoor spaffs users' email addresses in bcc fail

Jobs site Glassdoor accidentally outed hundreds of users seeking employment in pastures new when it despatched an email and failed to use the bcc button. The missive was sent to users at the weekend and intended to update them on the company's terms and conditions. One user said: "They later sent a follow up email saying …

  1. Alister Silver badge

    Questions

    Why aren't they using proper mailshot software if they do regular newsletters?

    Why don't writers of email clients, and / or webmail clients put in place a sanity check, so that if you have more than (say) ten users in the to or cc fields, it asks you what the fuck you are doing.

    1. TonyJ Silver badge

      Re: Questions

      "...Why don't writers of email clients, and / or webmail clients put in place a sanity check, so that if you have more than (say) ten users in the to or cc fields, it asks you what the fuck you are doing..."

      I must confess to not remembering the defaults (and being too lazy right now to Google) but Exchange mailtips has this sort of scenario in mind. It doesn't stop users from sending out but will pop up yellow or red message bars to tell you that you're possibly about to do something dumb.

      Alas not many Exchange admins seem to be aware of them or use them to their full extent.

      Oh and I just remembered they don't work at all when running offline/cached as they're generated by the server.

      1. Vince

        Re: Questions

        I believe one (of many) reasons is that you need to be running Exchange 2013 as I don't think that feature arrived before then, so I guess most places can't that run in-house Exchange.

        EDIT: Nope - actually turns out they rocked up in Exchange 2010 so for Exchange organisations I imagine more are on 2010 than 2013, so probably could use it.

      2. Sven Coenye

        Re: Questions

        Yet perversely, MS hosted O365 Exchange instances now have "Reply All" set as the default action of the Reply button...

    2. Crazy Operations Guy

      Re: Questions

      Don't even need complicated software, I wrote a script that ran on our SMTP relay; you feed it a file containing the message you want to send and a csv with the email addresses and the variables in the message you want to replace. Took me less than a week worth of slack time to write and now there is no possibility of accidentally leaking recipients.

    3. Mephistro Silver badge
      Facepalm

      Re: Questions

      What astonishes me is that CC is the default, instead of BCC. If you use BCC when you should have used CC, you only need to resend the email, perhaps with a small note of apology. If it's the other way round..."It's raining shit, Hallelujah...".

  2. JimmyPage Silver badge
    Facepalm

    Q:Why aren't they using proper mailshot software if they do regular newsletters?

    A:££££££££ (or rather lack of willingness to spend).

    On the plus side, there's clearly an opening at Glassdoor.com for someone with a clue.

    1. Anonymous Coward
      Anonymous Coward

      Re: Q:Why aren't they using proper mailshot software if they do regular newsletters?

      Yeah, Glassdoor is a great place to work! 4.4 / 5 stars!

      ...according to https://www.glassdoor.com/glassdoor

  3. Mark Simon

    Dire Consequences

    I once did some contract work for a company who were somewhat tardy in payments. When the manager sent an email to the contractors about his cash flow problems, he put us all in the To: header.

    This resulted in one of the other contractors emailing the rest of us telling us that we’ll probably never get paid. This in turn led to more emails, and eventually we became an informal action group, each of us sharing tales of woe, as well as snippets of scandal.

    The company folded, the manager went bankrupt, and was given a gaol sentence for crimes committed in trying to cover his financial problems.

    We never did get paid, but it makes a good story — not using the BCC button can get you in deep trouble.

  4. Mike Shepherd
    Meh

    "We are incredibly sorry for our error"

    No, I don't believe it, either.

    1. Flywheel Silver badge

      Re: "We are incredibly sorry for our error"

      "We are incredibly sorry for our error that we got caught"

      No doubt "lessons will be learnt" - we'll sack a few junior staff pour encourager les autres.

      1. DJV Silver badge

        Re: "We are incredibly sorry for our error"

        They were obviously THIS sorry:

        https://www.youtube.com/watch?v=oYOZ3IzRaf4

    2. Captain DaFt

      Re: "We are incredibly sorry for our error"

      Nowadays, when I see this:

      "We take the privacy of our users very seriously and are taking corrective steps to ensure this doesn’t happen again."

      It gets internally processed as corporate speak for:

      "Aw, here's the world's smallest violin playing Hearts and Flowers, just for you. Ain't it grand being our client?"

  5. SteveK

    BCC not always blind

    I remember receiving grief once when someone *did* use BCC to send email, but the email addresses were still visible to other BCC recipients (but not 'To' recipients). Turns out that mail client had an option about how to handle BCC headers. By default, it was compliant with RFC822, which says:

    4.5.3. BCC / RESENT-BCC

    This field contains the identity of additional recipients of the message. The contents of this field are not included in copies of the message sent to the primary and secondary recipients. Some systems may choose to include the text of the "Bcc" field only in the author(s)'s copy, while others may also include it in the text sent to all those indicated in the "Bcc" list.

    Looks as though later RFCs have tightened that up to say the addresses shouldn't be visible to any other recipient.

    1. David Roberts Silver badge

      Re: BCC not always blind

      Hmmm.....wondering now if there are different potential options for those on the same mail server and if BCC recipients may only be dropped at the relay servers as the mail message fans out.

      Vague memories of mail addresses for the local domain being stripped off at the relay server and all the rest being left on the forwarded message.

  6. cd

    If a company says they take my privacy seriously, I don't take them seriously.

    1. VulcanV5

      If a company says they take my privacy seriously, then I know that sooner or later, they are seriously going to take my privacy away.

      1. Anonymous Coward
        Anonymous Coward

        Yup. I know marketers. They dump your info in cloud databases like Salesforce, dump it out to spreadsheets, email it to dozens of employees and contractors, who upload it to their own cloud databases, and so on and so forth.

  7. John Brown (no body) Silver badge

    "affected less than 3 per cent of Glassdoor users"

    Funny how when it's their cockup 3% is "only", "less than" ie by implication it's "just" a small amount.

    If the business grows by 3%, it's shouted from the rooftops like it's a huge number.

    PR people seem to live in a universe with variable physical laws.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019