Just realized my code had a silent data leak for 3 months

I was going through my database logs last night and noticed some numbers that looked off. Turns out a simple error in one of my first API calls was sending user email addresses to a third party analytics service every time someone clicked a button. I found it completely by accident while reading a guide about GDPR compliance on the Mozilla developer blog. The scariest part is that none of my error catching or testing caught it because the data still went through fine. I had about 400 users affected over those three months and now I have to figure out how to notify them. How do you even test for stuff like this when you are just learning and dont know what to look for?

3 comments

3 Comments

jamiesullivan13d ago

wait were those emails going out in plaintext or encrypted? like did the third party even need that data or was it just sitting there in their logs this whole time

the_felix13d ago

just sitting there in their logs" - that's exactly what bugs me. Most people don't realize these third party services often keep raw email data for years as "backups" or "analytics" (conveniently vague terms). I've seen contracts where data retention policies are buried on page 47 of the TOS, basically giving them permanent access. The scary part is that plaintext or encrypted doesn't even matter if they're storing the decryption keys right next to the data, which a shocking number of cheap providers do.

blake_kelly1913d ago

Isn't it frustrating how much we just trust companies with our most private information without really knowing what they're doing with it? You make a great point about the keys being stored right alongside the data. I've seen that too in my own research, it's like leaving your house key under the doormat and then being surprised when someone walks in. It's not really about encryption at all if the keys are just sitting there in the same system. I think most people would be shocked if they actually read the data retention policies they agree to.