UPDATE: See the comments below. Pandora’s CTO responded with the following explanation – while I haven’t shared much, I can see it being a spyware issue of someone I’ve shared having spyware on their computer – he has a good point.
“Hi there, I’m the CTO over at Pandora. Saw a link to this post on Twitter. I can tell you with absolute certainty that we never have and never will sell, give away, trade or disseminate in any way our listeners email addresses. We also do routine security audits; your email address absolutely is not available anywhere on public systems.
We do however hear of cases like this a couple of times a year and I’ve worked other places where similar complaints would come in. In my experience the cause is almost always spyware on a machine that at one time received an email from the address in question. For example, if you’ve ever used Pandora to share a station with a friend, or invite someone else to use the service, your pandora email address would be on the email we sent to your friend. If that friend has a machine infected with Spyware it’s likely that your email address made it into some spammers directory. Of course we also send you a welcome email, if there’s spyware on your machine that’s another possibility. The final (and least likely) possibility is a simple dictionary attack — since the email address you’re using is firstname.lastname@example.org it’s possible that some spammer was just iterating on dictionary words against your mail system.
It’s a terrible situation that we live in an environment where it’s nearly impossible to keep our personal email addressses out of the hands of spammers.
Feel free to write any time, with any concern. Predictably I’m tom-at-pandora.
Could Pandora be giving out or selling their users’ e-mails? They say they don’t, but I got a disturbing e-mail yesterday that I’m still trying to figure out. When I sign up for services, I usually sign up with the e-mail address, email@example.com so that I can detect where my spam is coming from. Yesterday, I received a weird piece of spam from “news21.tv” in what I believe to be French. The subject states, “News21.tv des vidéos pour les Expatriés, DRH, Exportateurs… A découvrir”. What caught my attention though, is that it was sent to “firstname.lastname@example.org”.
There’s only one site I ever gave that e-mail address to, and that’s Pandora. Could Pandora be selling e-mail addresses to spammers? Could there be a leak at Pandora, where my e-mail address somehow accidentally got out to spammers? Or is this just a fluke where some spammer decided to randomly send e-mail to email@example.com where domainname.com is all wildcard e-mail addresses they’re aware of? I can’t tell, but it’s troubling – I’ve never had a spammer actually use an e-mail address for a service I actually belong to. This makes me wonder if it actually is an issue at Pandora.
I mentioned this on FriendFeed, and a Pandora rep actually did respond (Does your company track FriendFeed?). Here was the thread:
Me: “wtf??? I’m getting Spam and it’s to my Pandora address. Did Pandora sell my e-mail address? NOT HAPPY”
Pandora Radio: “Hi Jesse – We *definitely* never sell or give away listeners’ email addresses. Feel free to email firstname.lastname@example.org if you’d like. – Lucia, from Pandora”
I want to believe Pandora. They seem like a pretty ethical company, and have supported some good causes in the past. It makes me wonder however if somehow, some e-mail addresses got out of their system that they weren’t aware of. Perhaps my e-mail address is on a public profile somewhere on Pandora’s website? Has anyone else experienced this, and do you have any ideas how this could be happening? The text of the e-mail can be found here.