Could Pandora be Leaking User E-mail Addresses to 3rd Parties?

UPDATE: See the comments below. Pandora’s CTO responded with the following explanation – while I haven’t shared much, I can see it being a spyware issue of someone I’ve shared having spyware on their computer – he has a good point.

“Hi there, I’m the CTO over at Pandora. Saw a link to this post on Twitter. I can tell you with absolute certainty that we never have and never will sell, give away, trade or disseminate in any way our listeners email addresses. We also do routine security audits; your email address absolutely is not available anywhere on public systems.

We do however hear of cases like this a couple of times a year and I’ve worked other places where similar complaints would come in. In my experience the cause is almost always spyware on a machine that at one time received an email from the address in question. For example, if you’ve ever used Pandora to share a station with a friend, or invite someone else to use the service, your pandora email address would be on the email we sent to your friend. If that friend has a machine infected with Spyware it’s likely that your email address made it into some spammers directory. Of course we also send you a welcome email, if there’s spyware on your machine that’s another possibility. The final (and least likely) possibility is a simple dictionary attack — since the email address you’re using is pandora@stayinalive.com it’s possible that some spammer was just iterating on dictionary words against your mail system.

It’s a terrible situation that we live in an environment where it’s nearly impossible to keep our personal email addressses out of the hands of spammers.

Feel free to write any time, with any concern. Predictably I’m tom-at-pandora.

Picture 3.png

Picture 5.pngCould Pandora be giving out or selling their users’ e-mails? They say they don’t, but I got a disturbing e-mail yesterday that I’m still trying to figure out. When I sign up for services, I usually sign up with the e-mail address, servicename@staynalive.com so that I can detect where my spam is coming from. Yesterday, I received a weird piece of spam from “news21.tv” in what I believe to be French. The subject states, “News21.tv des vidéos pour les Expatriés, DRH, Exportateurs… A découvrir”. What caught my attention though, is that it was sent to “pandora@staynalive.com”.

There’s only one site I ever gave that e-mail address to, and that’s Pandora. Could Pandora be selling e-mail addresses to spammers? Could there be a leak at Pandora, where my e-mail address somehow accidentally got out to spammers? Or is this just a fluke where some spammer decided to randomly send e-mail to pandora@domainname.com where domainname.com is all wildcard e-mail addresses they’re aware of? I can’t tell, but it’s troubling – I’ve never had a spammer actually use an e-mail address for a service I actually belong to. This makes me wonder if it actually is an issue at Pandora.

I mentioned this on FriendFeed, and a Pandora rep actually did respond (Does your company track FriendFeed?). Here was the thread:

Me: “wtf??? I’m getting Spam and it’s to my Pandora address. Did Pandora sell my e-mail address? NOT HAPPY”
Pandora Radio: “Hi Jesse – We *definitely* never sell or give away listeners’ email addresses. Feel free to email support@pandora.com if you’d like. – Lucia, from Pandora”

I want to believe Pandora. They seem like a pretty ethical company, and have supported some good causes in the past. It makes me wonder however if somehow, some e-mail addresses got out of their system that they weren’t aware of. Perhaps my e-mail address is on a public profile somewhere on Pandora’s website? Has anyone else experienced this, and do you have any ideas how this could be happening? The text of the e-mail can be found here.

Advertisements

16 thoughts on “Could Pandora be Leaking User E-mail Addresses to 3rd Parties?

  1. Duncan, not sure if that's why something like this would happen, or if
    it's even their fault, but I am definitely tired of getting the “woe
    is me – vote for government to bail us out of this mess” e-mails from
    them. I was especially disturbed to get this one. I certainly hope
    this doesn't come from the e-mail address I gave them.

    Like

  2. I should also add that I got an e-mail from them, targeting me because I was a “constituent of Chris Cannon”, my congressman, to encourage him to vote on the internet radio bill. It's interesting marketing, but also outright spam IMO, and a little creepy that they're looking up where I live to determine who my congressman is.

    Like

  3. I worked for a top 500 Alexa property for a couple of years who used to get the same complaint every so often. We knew we weren't selling addresses, so we tested the complaint by setting up a few dozen fake email accounts all over the place and registered them with the system. Just waiting for SPAM. None came. We finally came to the conclusion that it was probably trojan's on the users system, users ISP level, and or friends system that were harvesting the email address's.

    I doubt it is Pandora.

    Like

  4. Hi there, I'm the CTO over at Pandora. Saw a link to this post on Twitter. I can tell you with absolute certainty that we never have and never will sell, give away, trade or disseminate in any way our listeners email addresses. We also do routine security audits; your email address absolutely is not available anywhere on public systems.

    We do however hear of cases like this a couple of times a year and I've worked other places where similar complaints would come in. In my experience the cause is almost always spyware on a machine that at one time received an email from the address in question. For example, if you've ever used Pandora to share a station with a friend, or invite someone else to use the service, your pandora email address would be on the email we sent to your friend. If that friend has a machine infected with Spyware it's likely that your email address made it into some spammers directory. Of course we also send you a welcome email, if there's spyware on your machine that's another possibility. The final (and least likely) possibility is a simple dictionary attack — since the email address you're using is pandora@stayinalive.com it's possible that some spammer was just iterating on dictionary words against your mail system.

    It's a terrible situation that we live in an environment where it's nearly impossible to keep our personal email addressses out of the hands of spammers.

    Feel free to write any time, with any concern. Predictably I'm tom-at-pandora.

    Tom
    CTO @ Pandora

    Like

  5. Hey Jesse. Noticed that you were opted in to receive emails from us. Would you like me to remove you from the list? You (of course) can also change your mail settings from the web or unsubscribe from a link in the footer of any email we send you.

    Sorry that the congressional emails were a nuisance. Truth is that they literally saved the company. Pandora operates under a government controlled license and without congress passing a bill that extended the negotiating power of SoundExchange without question Pandora wouldn't have survived. The only way to get congress to act is to get constituents to speak up. We're incredible grateful to our listeners that called capitol hill on our behalf. Believe me, we really would never have asked for the help if there was any other way.

    Like

  6. I worked for a top 500 Alexa property for a couple of years who used to get the same complaint every so often. We knew we weren't selling addresses, so we tested the complaint by setting up a few dozen fake email accounts all over the place and registered them with the system. Just waiting for SPAM. None came. We finally came to the conclusion that it was probably trojan's on the users system, users ISP level, and or friends system that were harvesting the email address's.

    I doubt it is Pandora.

    Like

  7. Hi there, I'm the CTO over at Pandora. Saw a link to this post on Twitter. I can tell you with absolute certainty that we never have and never will sell, give away, trade or disseminate in any way our listeners email addresses. We also do routine security audits; your email address absolutely is not available anywhere on public systems.

    We do however hear of cases like this a couple of times a year and I've worked other places where similar complaints would come in. In my experience the cause is almost always spyware on a machine that at one time received an email from the address in question. For example, if you've ever used Pandora to share a station with a friend, or invite someone else to use the service, your pandora email address would be on the email we sent to your friend. If that friend has a machine infected with Spyware it's likely that your email address made it into some spammers directory. Of course we also send you a welcome email, if there's spyware on your machine that's another possibility. The final (and least likely) possibility is a simple dictionary attack — since the email address you're using is pandora@stayinalive.com it's possible that some spammer was just iterating on dictionary words against your mail system.

    It's a terrible situation that we live in an environment where it's nearly impossible to keep our personal email addressses out of the hands of spammers.

    Feel free to write any time, with any concern. Predictably I'm tom-at-pandora.

    Tom
    CTO @ Pandora

    Like

  8. Hey Jesse. Noticed that you were opted in to receive emails from us. Would you like me to remove you from the list? You (of course) can also change your mail settings from the web or unsubscribe from a link in the footer of any email we send you.

    Sorry that the congressional emails were a nuisance. Truth is that they literally saved the company. Pandora operates under a government controlled license and without congress passing a bill that extended the negotiating power of SoundExchange without question Pandora wouldn't have survived. The only way to get congress to act is to get constituents to speak up. We're incredible grateful to our listeners that called capitol hill on our behalf. Believe me, we really would never have asked for the help if there was any other way.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s