Can Boards please confirm if there was a data breach in users email addresses being publicly exposed on the website? I have seen a post where a user has mentioned that they were able to see another users email address on their profile.
Kinda, but the legalese part is small fry IMHO. What's much more at stake are the optics to users. If people think they've been exposed that adds to the growing reasons to walk away.
Has anyone informed the affected users that their email was visible before @Mickeroo flicked the switch, and that it's still visible on Google?
We're all talking about it here and we know 3 of the affected usernames, so they have a right to know.
Yeah, lads those earlier screenshots need to go.
While PERSEC is every individuals responsibility, anyone with any rudimentary OSINT abilities can yield way too much information on someone. For example, without going down the rabbit hole, I have one users name, location, email, Youtube channel and plenty more if I spent a few minutes at it...which I obviously won't.
Not good at all.
Jesus! We're past the stage where "Nothing to see here" is acceptable @Boards.ie: Odhran.
Just searched my profile and its private.
For those dismissing the DPC. Substantial fines could be handed out depending on the size of of a breach. Boards will have to determine that and decide whether it needs to be reported.
Others can of course report a breach of their data to the DPC who will then see a common thread. They will of course need proof your data is breached.
Hi all, thanks for your patience. We have confirmed that the option to 'Allow other users to see your email?' was OFF for all users on migration.
Since then a small number of users have ticked this box to allow their email address be seen by others. We will be switching this back to OFF for these users as well and contacting them to let them know the implications of switching it on.
Re being able to Google a user and see their email address, this was possible due to an error in permissions for logged out users meaning that they could see email addresses on accounts which had enabled the 'Allow other users to see your email?' option. This permission has been removed now, however Google results are not updated instantaneously so it will take time for those results to disappear. We really do apologise for this and will convey our apologies to the users who have the option enabled directly as well. If anyone has turned it off recently, please accept our apologies here.
We will be contacting the DPC tomorrow to make them aware of the issue.
On another note, for the sake of your fellow users, please don't google and share particular users info here; even by showing their username in a screenshot you are leading others to their email address. We can request Google remove these results quicker but they don't always respond to these requests.
The team are already aware of and working on a solution for the issue with closed accounts but thanks for letting us know again here.
Again, thanks to you all for making us aware of this so we could get it fixed, we sincerely apologise to those affected.
Tl;dr a setting to allow unregistered/logged out users see everything a logged in user was set which allowed the email addresses of those who selected to show their emails to be seen from outside of the site. This has now been rectified though Google search results may take a while longer to update.
Theory -v- practice.
Niamh, This email needs to be a forum wide announcement rather than a post hidden away in a long... ish thread.
Great that you've found the problem though sadly it points back to a severe lack of testing before the new platform went live.
Based on boards contacting the DPC tomorrow, we shall soon see.
Why? It was users' own choice to make their email public by ticking the checkbox in their Profile. Consent was given.
It was users’ choice to make their email public to “other members”, not to unregistered users which included Google. That’s what the problem is. Everybody with internet access could see the email addresses, member or not.
Consent given for the site not outside.
@Boards.ie: Niamh perhaps you would be kind enough to change the thread title back to its original, correct title.
It's likely some users use same email as Facebook
There is actually potential for someone to get the phone number of a person if they have that open on Facebook.
That's exactly what I would have expected, that anything visible on a profile wouldn't require a membership to view, same as our posts. Kinda surprised that's not the general expectation. Of course they could have made that clear though.
Yeah but really is whoever makes it visible to Boards really bothered about it being made visible to Google as well?
In what scenario would someone be comfortable having their email address visible to the 600,000 users of Boards but concerned about anyone outside that.
Mountain out of a molehill.
It's more visible to scraping algorithms if you do not need an account. It also means that now this is public knowledge, this info will be hanging out there for weeks until the Google cache is renewed.
600,000 users of boards. 🤣
"Active" vs "Inactive" 🤣
Niamh, the screenshots are still on page 2.
”The 600,000 users of Boards… are they in the room with us now?”
I now know what youtube channel you follow and now will find out everything about your life
I think I am the only one who has a throw away email address specifically for Boards . If it's made public I won't lose any sleep . Start changing your email addresses, it might change in earlier posts also and break the connection to you . Worth a try .
This is a mind-boggling idiotic statement. You clearly don't understand the amount of harm a nefarious individual could do with even basic information.
In this instance, a member here did not use a burner email and while it may not be their primary email, a significant amount of information on them is available with only a cursory first layer search.
Obviously if the information was in respect to you, you'd be quite happy with me (a stranger on the internet) knowing your real name, where you live, your interests etc.
Just for this guy alone, I have ample unreasonable opportunity to engage in various degrees of online and real life harassment, blackmail and cultivation....and that's the mild end of issues where the best you could hope for is ONLY being doxxed.
There's a vast amount of unhinged individuals among us, maybe one of them disagreed with the poster and now wants to confront them in real life, well now they can.
Mountain out of a molehill my bollox, you'd want to switch yourself on and not be so dismissive over something you are clearly uneducated about.
Opting in to allow fellow users to contact a burner address, fair enough, not for me but fair enough. Having it available to any fcuktard on Google. No way.
In my opinion, there should never be an option to allow the viewing of your personal details on here, not all of us use burner emails/phone numbers and not all of us understand what can be done with that information.
I came across this thread only because somebody mentioned it in another thread. @Boards.ie: Niamh you really need to let the entire site know to check their settings. I wasn’t sure mine was checked or unchecked until went to look just now
Remember the day the site reopened? Absolutely everything was white and very confusing. This included the profile area and I do remember looking at the email section wondering was my email address showing or not showing. Another poster PMed me asking me to check theirs as they wasn’t sure either.
It’s highly probable that some users checked the email box in error and they are none the wiser. The least you could do is have a site wide notice banner saying “check your email settings in your profile”
Ask the members who were randomly selected here for test searches had they checked their email visibility boxes by deliberate choice.
My memory is different re what is said to have been default settings but that could easily be me and I have to accept what is said. But directly ask others who have been proven to have had email visibility and it should help clear some things up.
Posters hand waving data privacy issues really should give themselves a shake.
Fact is that if the email is searchable on Google, that is an incredible breach. What if that's what you're applying for jobs with etc. and an employer can see everything you've posted.
So you will re amend the thread title back to what it was before you changed it. a data breach not a email issue.
Thanks, I removed them there.
I wouldn't want you or anyone else knowing my email address. Hence I did not tick the checkbox. But that's not what happened here is it? People knowingly made their email public.
I assume you did not give your email when signing up for the HSE vaccine either if you're so precious about it. Afterall, they already had their data compromised.