Adam Ostrow reports that financial planning application Rudder appears to have sent user’s confidential financial information to the wrong people, exposing users’ salary, debts, bank balance, and where they shop. Ostrow is trying to obtain some statement from Rudder. As of the time of this posting, there is no statement on their site either denying, confirming, or explaining the reports floating around the web. See some of the details/reports on FinCision, such as this one:
I received a total of 557 emails for other users accounts today. That’s not a trivial amount. And again, I can click the Dashboard link and it opens the web page logged in as the user. I tested it a step further by trying the ‘Settings’ link, then ‘Preferences’, ‘Email settings’. If I click the ‘change’ link next to the user email address, it opens up the two blank boxes to change and verify the users email address!
If anyone from Rudder would like to respond to these reports, I’d be happy to post their response here.
Update 1: Erick Schonfeld of TechCrunch got a response from Rudder:
Chief financial officer Nikunj Somaiya confirms that 732 accounts were compromised, or about 3.5 percent of active users. Members whose email start with the letters “a,” “b,” or a number had their account information shared before the company noticed and shut down all e-mail updates. Somaiya says, “We realize this is very sensitive information. We are extremely sorry.” But he also notes, “We get read-only access to balances and transaction. We don’t even store your banking user name and password. We can’t touch your money, nobody can move your money.” Yeah, but hundreds of Rudder members might now know how much other users have in their bank accounts.
It could have been worse. Rudder only lets members keep track of their financial accounts and balances in one place. It doesn’t allow people to access the underlying accounts. It doesn’t show passwords or social security numbers or even real names—unless, of course, you use your real name as your email address, which many people do.
So how did this happen? Rudder’s emails were getting caught up as spam by Yahoo, so all of its users with Yahoo Mail accounts weren’t getting any updates. After talking with Yahoo, Rudder added a new DomainKeys Identified Mail (DKMI) component to its outgoing emails last night which adds a signature to each email that verifies it is coming from a valid domain. But for some reason, “instead of separating the emails, it appended them together,” explains Somaiya. So those 732 users received not only their own financial updates, but also all of the updates from the appended accounts.