‘How Dashlane compromised my privacy on Twitter’

David bisson
David Bisson
@

DashlaneDashlane’s support center recently compromised my privacy on Twitter, an incident which I hope will serve as a cautionary tale for customer support representatives everywhere.

First let me begin by saying that I’ve been using Dashlane’s password management app for several months now, and overall I have been very happy with my experience. Dashlane has cut back on the time it takes for me to update my passwords, (I usually do this on a monthly basis.) and it has truly streamlined certain parts of my workday. It’s been a good ride, more or less.

Dashlane

Well last week, I noticed some issues with Dashlane’s app for OS X. Specifically, even though I have had two-factor authentication (2FA) enabled on my account since the very beginning, the app was freezing whenever I entered my security codes.

Sign up to our free newsletter.
Security news, advice, and tips.

I tried uninstalling and reinstalling the software to no avail. When this didn’t work, I decided to reach out to the password management company directly.

On Sunday, I contacted Dashline Support on Twitter. I described to them my problem, and after a few additional exchanges, they requested that I provide them with my email address in a direct message (DM).

So, I handed over my email address via a DM, expecting a confirmation soon thereafter.

It wasn’t until the next day, however, that Dashlane Support confirmed that they had sent me an email. There was just one problem. They told me this in a public tweet, and they fully disclosed my email address therein.

Dashlane's twitter goof

I immediately asked them to take down the offending the tweet, but there was no response. In fact, I didn’t hear from Dashlane again until some 20 hours later, by which time several individuals had noticed that Dashlane had tweeted out my email address.

The password management company’s support center apologized for the disclosure and stated that it had removed the tweet.

I have since confirmed the tweet’s removal.


I want to keep things in perspective here.

My case is not like that of Eric Springer, an Amazon user whose shipping address, phone number, and perhaps even credit card number were exposed after an attacker social engineered his way around Amazon customer support.

EmailUnlike financial data, email addresses are not inherently sensitive information. In fact, as security expert Troy Hunt points out on his blog, they are not only readily discoverable but are also in most cases meant to be shared.

That’s true. But it should still be your choice when or if you decide to share your email with someone else. And in particular if you want it to be made public. In no scenario should a customer support representative be doing that for you, especially when you haven’t submitted to any prior agreement explicitly authorizing them to do so.

I am disappointed that Dashlane exposed my email address on Twitter and took so long to fix the problem, but that’s the full extent of it. I intend to keep using Dashlane, and in the worst case, I’ll probably just need to keep an eye peeled for spam messages.

I only hope that this serves as a lesson to support representatives everywhere to take extra caution when handling customers’ information. Email addresses might be easily tracked online, but at the end of the day, companies like Dashlane still have a responsibility to respect users’ privacy and strive to keep them confidential.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

11 comments on “‘How Dashlane compromised my privacy on Twitter’”

  1. Emmanuel Schalit

    I am Emmanuel Schalit, the CEO of Dashlane.

    I would like to apologize on behalf of Dashlane for the public posting of your email address. As the CEO of a company that prides itself on safeguarding its users’ data, online security, and privacy I am disappointed and understand your anger.

    Our Customer Support team had 2 separate support threads open to assist you with the issue you were having with OSX. One of these was via public Tweeting, the other was a private Direct Message. Our support agent added a response to the wrong thread which results in your email address being posted publicly. It was an honest, but inexcusable mistake, and as you mentioned, a prime example for our Customer Support staff to exercise extra caution when handling any user personal information.

    I have instructed the head of our Customer Support team to create an action plan on best practices and to create an updated mandatory social media support training. Additionally, we will conduct additional internal QA to ensure these steps are being followed.

    Again, I am very sorry for the lapse you experienced. Our users trust us with their most valuable and private personal information and we will make every effort possible to learn from this incident. My email has been included in the comments submission and I would greatly appreciate the opportunity to speak with you 1-on-1 about this incident.

    Best,
    Emmanuel

    1. Bob · in reply to Emmanuel Schalit

      20 hours before you reply to somebody who has a serious complaint is not sloppy, it's negligent. No amount of "action plans" or "best practices" will rectify such matters.

      I for one don't use Dashlane and, after reading this story, it won't be a password manager that I'd even consider recommending.

      At the very least you should consider publicly apologising to the author via your official Twitter account and blog and then make some token gesture of recompense. Promising "mandatory social media support training" just doesn't cut it – no amount of training can make up for common sense and quality control (which should already be in place!)

  2. David Bisson

    Hello Emmanuel,

    Thank you so much for your thoughtful words regarding what happened earlier this week. I truly appreciate them, and I look forward to continuing my subscription with Dashlane well into the future.

    Best Regards,

    David Bisson

  3. mike

    personally I would never use twitter or social media for support issues. mistakes like this could happen. If direct message or private chat is not available. pick up the phone

    1. Mark · in reply to mike

      Sometimes the only way to get a company to take any issue you are having seriously is to contact them in a public space. I definitely agree there are risks but calling leaves no record of the communication and using chat and/or social media does. I get faster results this way than any time I have called a customer service department on the phone.

  4. Anonymous

    Did you really need to turn a small mistake into a full blown article?

  5. Comeau

    I had a terrible experience with Dashlane's free iOS app around 2 years ago. As my first password management app, I greatly enjoyed my experience. That is, until they released a broken version of the app that couldn't have gone through a proper QA process. I can't recall exactly what would happen upon launching the app, but I decided to delete the app and install it again in an effort to fix the problem. Unfortunately, the free version of the app only had local password storage. Thus, when I reinstalled the app, ALL of my passwords were lost. Needless to say, by the time I received an email from Dashlane offering free premium service to all those affected, I had already switched over to 1Password and spent hours changing all of my passwords again. I haven't had any trouble since.

  6. hydrabadchik

    Thank you for turning a "small mistake" into a full blown article. The tone and context were in no way exaggerated. I don't swear that I will avoid Dashlane like the plague or anything like that. But I too have taken to social media to describe an issue with more than one service. Like another poster mentioned, I have gotten faster responses and an actual solution as compared with calling or using the less public communication channels.

  7. Anonymous

    From what sane perspective would anybody use public social media with any expectation of privacy? You sir are as much of a nitwit as the person who responded to your PM in public, as is the nitwit who thinks this is no big deal. No excuses or mistake, you are all cut from the same bolt of millennial cloth, devoid of the ability to apply logic or reason.

  8. Intel

    I hope I read that in time. I think I will just stick to Intel True Key.

  9. Matthew Whited

    This is a you problem not a them problem. email addresses are not where secure. Hell, email alone is not secure. It's plain text bounced across public servers where anyone along the way can see and alter the content.

    Worrying about your email address being "leaked" is about like worrying that someone can see the number on the front of you house.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.