Mastodawn

Someone at BrowserStack Is Leaking Users' Email Address

https://shkspr.mobi/blog/2026/04/someone-at-browserstack-is-leaking-users-email-address/

Someone at BrowserStack is Leaking Users' Email Address

Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address. A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few…

Terence Eden’s Blog

> BrowserStack routinely sell or give away their users' data.

> A third-party service used by BrowserStack siphons off information to send to others.

> An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.

Or the simpler answer, their db/email list has been compromised.

The simplest answer is they are voluntarily being scum and selling user data to make a quick buck. It’s almost universally true.

>and selling user data to make a quick buck

Are there actually companies that will pay you $$$ for a list of emails?

Not exactly, but plenty will just sell everything to data brokers.

JimDabell 3d ago

> It’s almost universally true.

It’s not. I give a unique email address to every service I register with, which means I can see who is leaking my email address. Very few of them leak my email address at all, and those that do tend to do so involuntarily through data breaches.

The other main factors in spam are the sleazeballs at Apollo, ZoomInfo, et al., services that use my email address internally for more than I consented (if I use my email address to register for a service, this does not permit that service to add me to their product mailing list), and the spammers who guess email addresses based on LinkedIn info (e.g. name + company domain).

The number of services who appear to take an email address I have given them and sell it appear to be extremely rare.

I do the same, and seem to have a much higher hit rate (or a much lower acceptable baseline!)

michaelcampbell 3d ago

> > BrowserStack routinely sell or give away their users' data.

> Or the simpler answer, their db/email list has been compromised.

I find the first option far simpler.

Everyone in this thread suggesting a “data leak” or “compromise” is totally missing the fact that this is how Apollo works. This is often times overlooked by Apollo customers themselves. You have to opt out of customer data sharing (and in doing so lose out on the value of the product): https://knowledge.apollo.io/hc/en-us/articles/20727684184589...

Not commenting on whether this is good or ethical (or even totally legal), but this is what is happening behind the scenes.

How Data Sharing Works with Apollo's Living Contributor Network

Overview Data is the bread and butter of business at Apollo. As a result, Apollo takes data privacy and compliance very seriously and strives to be fully transparent about how it sources, collects,...

Apollo

For a little more color for people unfamiliar with modern sales/marketing:

1. A user signs up to BrowserStack

2. BrowserStack (automatically) upload the submitted user’s information to Apollo

3. Apollo “enrich” the user’s details using information they already have about the person, e.g: company revenue, LinkedIn profile

4. Sales reps at BrowserStack use the enriched information to identify leads, bucket for marketing etc.

Apollo’s customer data sharing adds any information BrowserStack send to Apollo to the person’s profile with Apollo, accessible to all Apollo customers.

For example, any other Apollo customer can search something like “email addresses for decision makers at Example, Inc.” and get back a list including your email address (if you told BrowserStack you are a decision maker at Example, Inc.)

Every single marketing team is doing all of this, the only reason it was obvious in this case is that the OP used a unique email address for BrowserStack. If you sign up for any business product online, you surely have a profile in Apollo filled with details about you gathered from around the web (and details you submitted).

edit: https://www.apollo.io/privacy-policy/remove opt out link but Apollo are just one of many companies offering this service

Remove your information

Search, engage, and convert over 210 million contacts at over 35 million companies with Apollo's sales intelligence and engagement platform.

tgsovlerkhgsel 3d ago

Hopefully in the soon future:

5. BrowserStack gets hit by a massive GDPR fine.

6. BrowserStack contests the fine for a couple of years, not paying a euro cent

7. People just remember 'BrowserStack got hit by a massive fine'

8. Everyone carries on with business as usual

So I'm not disputing this, but I set up a similar scheme to the author almost 8 years ago and conduct 90+% of my online business through the custom emails. Everything from Amazon to small local business.

In that time I have had 'leaks' twice: my State's Fish and Wildlife licensing organ, and GitHub. In both cases I assume it's more that the email ends up being public, not because of something like Apollo.

I guess it's possible that spam is getting filtered before it ever hits my inbox.

https://app.apollo.io/#/people/5ca6dec9a3ae61c16688683b

Site Reliability Engineering Technical Leader (G12) at Duo Security · Florida, US

Also has a phone number for you.

Apollo

Apollo helps B2B companies scale outbound sales.

>After a brief discussion, the emailer told me they got my details from Apollo.io

The landing page for Apollo.io says it's a "AI sales platform". In other words, a CRM. My guess is that someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications.

michaelcampbell 3d ago

> not realizing the privacy implications.

If only.

Linkedin got users to unwittingly to share their entire contact list by signing into gmail. What makes you think something similar wouldn't happen to some non-technical person on the sales team?

michaelcampbell 3d ago

My point is I don't think one bit of this is accidental.

And my point is that it's pretty easy for people to accidentally do it, and this is corroborated by the available evidence, so we should apply hanlon's razor rather than assuming someone at browserstack was laughing maniacally while uploading the email list.

michaelcampbell 3d ago

I made no such assertion. Only that businesses do things in the business's interest more frequently than databreaches.

> Only that businesses do things in the business's interest

That's not mutually exclusive with "someone on the sales team uploaded the entire customer list for sales purposes, not realizing the privacy implications".

>more frequently than databreaches.

You're fighting against both hanlon's razor and occam's razor here. The OP states the leak came from Apollo, and as other commenters have noted, Apollo specifically has a "Contributor Network" that shares email lists with other companies, and isn't well documented. It's not hard to imagine how this was done unintentionally. On the other hand there's no evidence to suggest this was done intentionally, other generic cynicism of "businesses do things in the business's interest" or whatever.

> Like all good nerds, I generate a unique email address for every service I sign up to. This has several advantages - it allows me to see if a message is legitimately from a service, if a service is hacked the hackers can't go credential stuffing, and I instantly know who leaked my address.

I think a lot of services will "de-alias" the email addresses from these tricks to prevent alts, account spam, and to still target the "real" account holder email. So the old tricks like "<name>+<website>@<host.com>" is not considered a unique email from "<name>@<host.com>". Unless your site-specific emails are completely new inbox aliases, then I don't think this is as effective as people think it is anymore.

I just do <website>@<myhost.tld>. It is sometimes confusing by when interacting with customer support ;-)

OptionOfT 3d ago

Yes ma'am, my email address really is bofa.com@<optionoft's-lastname>.com

No I'm not trying to hack you.

Which in hindsight is also what a hacker would say. I can't win...

noAnswer 3d ago

There are some big brain companies who will block you if their name appears in the email address. Like Discord. You can create an account, with [email protected]. But a seconde later you will get an email that your account got band.

They know their way around IT security! /s

anonymousiam 3d ago

What you say is often true, but in the case of Discord, at least in my case, you are wrong. My Discord email address is [email protected], and I am still receiving emails from them.

noAnswer 3d ago

It happend to me when i created my account in 2025. Within seconds of verifying the address I got a email that my account was band for TOS violation. I than created a seconds account (within minutes from the same IP) only writing "dc" instead of "discord" and that worked. ¯\_(ツ)_/¯

Where, of course, 'bofa' is merely short for 'bofetada.'

jnettome 3d ago

On top of it my email address is .me so is very common to when I finish spelling my e-mail, people waiting for .com

I often get asked whether I'm a fellow employee.

Semaphor 3d ago

I had one website forward my mail to their legal department who asked me why I’m impersonating them :D Only required a short explanation though.

theandrewbailey 3d ago

I have an account just like that at Best Buy with my domain. The teenage cashier I gave it to thought it was cool.

overlordalex 3d ago

The way that this is done these days (and likely what the author did/does) is that you use a custom domain to receive mail; you provide an email like [email protected], and that way when service@ starts receiving spam you know exactly where it comes from

ValentineC 3d ago

^ I've been doing this with catchalls since before Google Apps for Domain was even a thing.

Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.

anonymousiam 3d ago

I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).

Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.

Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.

I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.

Take it a step further and do uuid@

fragmede 3d ago

yes, but service is too guessable, so append a randomly generated nonce as well, eg [email protected]. It doesn't need to be cryptographically random, just non trivially guessable to prove the service is leaking email addresses.

QuantumNomad_3d ago

iCloud has a great feature that allows you to generate unique aliases on the fly quickly and easily. For example when signing up for new services via the web browser on iOS, you can generate a new address with the click of a button.

Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.

I use Fastmail with my own domain and 1Password. Together they give me a “masked email” button for forms that generates a random enough email address (two common words and four digits) and records the domain it was for. You can also create them ad-hoc from Fastmail’s interface.

As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?

garciansmith 3d ago

Yeah, Fastmail's aliases are great. I used to do things described by some other commenters, like myemail+nameofservice@ and whatnot, but this way the email is automatically generated and you don't have to put any thought into it.

theandrewbailey 3d ago

Having your own domain and giving a unique email address to everyone... Is it correct to call this canary trapping email addresses?

https://en.wikipedia.org/wiki/Canary_trap

Canary trap - Wikipedia