Indie MMO Starborne accidentally exposes alpha tester contact info in email blast

    
8

If you participated in the alpha for indie MMORTS Starborne, you might wanna check your email: Multiple alpha participants are now reporting that they received a thank-you email that exposed the email addresses of a large chunk of other players, without permission. In other words, it looks like somebody at Solid Cloud took the email list and CCed when they shoulda BCCed, resulting in a painful privacy breach.

One pic from Reddit clearly shows a long string of email addresses (crossed out for privacy in the image); our tipster estimated around 50 people were exposed just in the one email, though depending on how many mails were sent, it could be many more.

112

It’s not clear what sort of recourse affected players have; Solid Cloud is based in the EU, Iceland specifically. It does, however, seem like an honest mistake and email-fail. (The actual bad guys sell your data; they don’t give it away in a thank-you email.) Either way, if your email is now floating out in the void, maybe double-check any of your associated accounts associated.

We’ve reached out to the studio for a statement and will update when we have it.

Source: Reddit, email. With thanks to our tipster!
Update
We’ve got the statement from the studio now, straight from CEO and Founder of Solid Clouds Stefán Gunnarsson:

“Today we sent an email to our players to notify them of their promised rewards for participating in the Starborne Alpha. Unfortunately, this email was configured using the wrong protocols causing players to see the email addresses of up to 49 other recipients in the same batch. We reacted as soon as we noticed, immediately reverting to the previous protocols and our regular mail services remain unaffected. We are informing affected players of this issue and we will continue to personally respond to everyone who reaches out to us in regards to today’s incident. We take the privacy of our players very seriously and we are committed to learn from this mistake to ensure this never happens again.”

8
LEAVE A COMMENT

Please Login to comment
  Subscribe  
newest oldest most liked
Subscribe to:
Reader
jikap

Yea, I got this e-mail as well. Personally, it’s not too big of a deal for me, as I’m pretty sure just about everyone who wants to know, know about my e-mail already.

They posted a comment in the Reddit post you linked though:

EG_iMaple

“Hey guys, I’m not gonna mince words. We fucked up.

We wanted to distribute the promised rewards for all alpha testers on record, but the transaction emails confirming that you got the rewards were sent under the wrong protocol causing some of you to see the emails of other recipients in your specific batch – which is up to 44 other addresses.

We rectified the issue as soon as we discovered it and have taken every possible measure to ensure this won’t happen again, but unfortunately we cannot take back the emails that went out.

I’m truly sorry this happened – we just wanted to say thank you for having supported us over all these years and we ended up with a privacy breach. The office here is on fire and we’re doing everything we can to personally respond to every one you guys of reaching out to us to inform you of the scope of the issue and will continue to do so over the Easter period.”

Mewmew
Reader
Mewmew

Haha, yeah the main email that I use now is terribly known and passed all around already. It’s why I don’t really enjoy it when places have us use our email as a login. While it may be easy for us to remember and all, eventually it gets out there and put on the lists.

The number of information breaches that contain our email is very high. It’s pretty rare to have an email that doesn’t end up on the lists. If you watch sites like haveibeenpwned that keep track of breaches (and you can even check if you’ve been exposed in them), they happen fairly non-stop.

Reader
3dom

Got the e-mail with ~15 e-mail addresses in it.

Not a big deal considering ~20 other companies leaked this same mailbox along with passwords and other registration data.

Reader
3dom

Correction: there are really 40+ email addresses in the letter.

Reader
Kickstarter Donor
Greaterdivinity

Are they not using an email distribution service? Because that would fix all those problems by letting them create a list for automatic direct mail.

Either way though, while this is a bit of an embarrassing mistake it’s pretty minor. 50 folks is absolutely nothing in terms of volume, and email addresses alone aren’t super sensitive or identifiable information. Definitely apology-worthy but that’s about the long and short of it IMO. All our emails are/have been floating around for years and years now thanks to tons of data breaches that were never even reported : /

Reader
Nate Woodard

It’s likely an in-house software.

Reader
Leiloni

It sounds like they sent numerous batches of 50 emails each. Not sure what email software sends like that since I’m familiar with ones that send personal emails to each recipient. But it does sound like more than 50 emails.

Aelzen
Reader
Aelzen

This is the case. One of my accounts got a different list of emails than the other, so looks like they exposed everyone’s emails, but to a limited audience in batches of about 50.