Sonos goofs again – this time revealing customers’ email addresses in Cc: blunder

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Sonos goofs again - this time revealing customers' email addresses in Cc: blunder

Sonos hasn’t had the best start to 2020, and it just got a little bit worse.

Earlier this month it announced that from May it would no longer be pushing out software updates to some of its legacy speaker hardware and (to make things worse) if you had a mixture of newer and older Sonos equipment inside your home none of them would be receiving any updates!

There has since been a partial U-turn on that, with Sonos’s CEO saying that the firm was working on a way to allow customers to split their systems so that modern products could work together and get the latest features, while legacy products work together and remain in their current state without updates.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s been something of a communications crisis for Sonos, which it should really have thought through in advance. And one of the consequences has been that Sonos’s customer service team has been inundated with concerned emails from some (quite understandably) grumpy customers who have invested a lot of money in their speaker systems.

To handle the barrage of emails, Sonos’s European customer service department has been sending out a generic email as they try to work through the backlog.

The email begins:

Dear Customer,

Thank you for contacting Sonos. Your query is important to us.

We apologise for the delayed response. Since last week we received an unprecedented number of emails which means we are unable to get back to you within our normal service levels.

If you query is regarding our Life Cycle communication please see a blog…

So what’s wrong with that? Well, as BBC News reports, a customer service representative made the mistake of emailing it to 475 customers… by including all 475 email addresses in the Cc: field rather than the Bcc: field.

Customers, understandably, were not impressed to find that Sonos had shared their email address with everyone else on the list.

Sonos shared a statement with BBC News apologising for the error. Presumably they also sent it to other news outlets too. Hopefully Bcc’ing them.

Pretty embarrassing for Sonos to be sure, but not quite as embarrassing as the time the Dutch data protection authority had to report itself to itself after suffering a similar data breach.

Problems like this can be avoided by having an email client warn that you have a ridiculously large number of people in the Cc: field and ask for confirmation that the email really should be sent.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.