HEY pulls feature which could expose email threads without participants’ knowledge

HEY pulls feature which could expose email threads without participants' knowledge

A new service called HEY claims to have a fresh take on email.

It’s a redo, a rethink, a simplified, potent reintroduction of email. A fresh start, the way it should be.

And watching a tour of their product you certainly get the feeling that they’re living up to their promise, tackling some of the problems many of us face with an overloaded email inbox.

Sign up to our free newsletter.
Security news, advice, and tips.

The product has got plenty of attention, partly because people really like the look of what they’ve seen, and partly because Apple and HEY’s developers Basecamp got into a very public ding-dong about whether their iOS app was breaking the App Store’s rules or not.

It looks like that kerfuffle is now getting resolved, and – frankly – it’s probably helped drive even more interest in HEY, and encouraged more people to sign-up to the waiting list to give HEY a try.

But creating an email service from scratch isn’t simple, and designing one which attempts to take a different look at how we manage our email inbox is perhaps even more complicated.

One sign of that came to light yesterday on Twitter, when HEY user Kylie Stewart, a software engineer at Formidable Labs, tweeted a link to an email thread she had exchanged with her colleague Jon Reynolds.

Yes, you read that correctly. Kylie posted a link that allowed anybody to see her email conversation with Jon. But Jon hadn’t approved it.

HEY gave Kylie, and any other user of the new email service, an easy way of sharing a public link to an email thread.

Hey get public link

And yes, HEY did display a clear message that sharing the link would allow anyone in the world to access it. But what it didn’t do is seek the permission of anyone else on that email thread.

Furthermore, HEY’s public link didn’t just include all messages in a thread up until that point, but all subsequent messages on that thread were also publicly exposed.


Email should be private by default. If personal emails are going to be shared then it should be with the explicit permission of all participants.

And yes, it’s easy to screenshot an email thread or forward an email message. No-one’s denying that it’s easy to break a confidence, but HEY’s “Get a public link” functionality sits uncomfortably alongside other features which promote its desire for greater inbox privacy.

Fortunately, HEY seems to agree. Within hours of Kylie’s message on Twitter, Basecamp’s founder David Heinemeier Hansson said that the “public link” feature was being withdrawn while his team went away and thought about things a bit more.

All in all, a sensible and speedy response from HEY that helps prevent them making headlines for the wrong reasons.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.