Ghostery sends out GDPR-themed emails, ends up exposing hundreds of user email addresses

Ad-blocking tool Ghostery suffered an embarrassing gaffe last week after sending out notification emails about the company's data collection policies. As the EU's General Data Protection Regulation (GDPR) went into effect, the company decided to send out a "Happy GDPR Day" email on Friday assuring subscribers that they've "got you covered".

The email reaffirmed the company's commitment to user privacy and assured it has implemented measures to ensure compliance with the new stringent digital privacy law.

“We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation," the email read.

However, Ghostery also accidentally exposed the email addresses of hundreds of other users in the process. The emails were sent in batches of 500 users and CCed hundreds of recipients allowing every user in each batch to see the email addresses of other users who received the message as well.

Multiple irked Ghostery users immediately took to social media to complain about the gaffe.

"Ghostery is off to a great start," one Twitter user wrote, while another chimed: "Time to delete my account."

"You've got to be kidding me," Adrian Sanabria, research director and co-founder of Savage Security, tweeted. "Exposing customer email addresses IN A GDPR NOTICE? The irony is too much."

The company later acknowledged the error saying it was caused by an operator's mistake while using their new self-hosted email delivery system.

"Recently, we decided to stop using a third-party email automation platform. In an effort to be more secure, we wanted to manage user account emails in our own system, so we could fully monitor and control data practices surrounding them," Ghostery saidin a statement. "Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the 'To' field.

"We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again."

As soon as it realized the error, the company said it immediately stopped sending out additional emails and halted the process for all future emails. It added that only email addresses were disclosed.

"We take our privacy and security practices very seriously; after all, they are both part of the value statement for our own products," Ghostery said. "We have already terminated the email distribution and already determined what went wrong. It was a simple human mistake."

While the email was likely just a simple mistake, the company said it will report the incident as mandated by the GDPR. It has also provided instructions for users on how to opt out of their marketing emails and delete their Ghostery accounts, if they so choose.